Security
Security is a fundamental aspect of identity and access management. LoginRadius offers robust security features to protect customer identities, prevent unauthorized access, and ensure compliance with privacy regulations. This document covers key security mechanisms, including user attack protection, password management, multi-factor authentication (MFA), session management, risk-based authentication, consent and access management, and role-based permissions.
Common Business Use Cases
- Preventing Fraudulent Access: Blocks unauthorized logins with brute force protection and bot detection.
- Protecting Sensitive Data: Enforces strong password policies and secure hashing to safeguard user credentials.
- Ensuring Secure Authentication: Implements MFA to prevent account takeovers and unauthorized access.
- Managing User Sessions: Controls session duration, automatic timeouts, and concurrent login restrictions.
- Maintaining Compliance: Ensures adherence to regulatory requirements with consent management and role-based access control.
Customer Security
LoginRadius provides multiple security solutions to protect user accounts, prevent fraud, and enhance platform security. These measures include fraud prevention, password management, multi-factor authentication, risk-based authentication, and more. Below is an overview of key security mechanisms.
User Attack Protection
User Attack Protection is a security framework designed to protect user accounts from unauthorized access attempts, including brute force attacks, bot intrusions, and compromised credentials breaches. Integrating multiple security features strengthens authentication processes and reduces the risk of malicious activities.
- Brute Force Protection: Restricts account access after repeated failed login or incorrect token/OTP attempts.
- Breached Password Protection: Prevents users from using known compromised passwords.
- Bot Protection: Implements CAPTCHA challenges to prevent automated attacks.
- Domain Access Management (IP Access Restriction): Allows only specified IP addresses to make authentication requests.
Refer to the User Attack Protection Documentation for comprehensive details on configuring session settings.
Server-Side Validation
Server-side validation is a LoginRadius feature that adds an extra layer of security by ensuring that all required fields and validation rules are enforced on the server, not just in the browser. This helps prevent users from bypassing validation through tools like browser developer tools or automated scripts.
How it works
When this feature is enabled, LoginRadius automatically checks that incoming data—such as during registration or profile updates—meets the validation rules defined in your site's schema. These rules may include required fields, field formats, minimum and maximum character limits, and more. If the submitted data doesn't meet these rules, the server will reject the request and return an error response. This helps ensure clean, valid data is stored in your database and protects against potentially harmful input.
Where can it be enabled?
This feature is not available through the Admin Console. To enable server-side validation for your site, please contact the LoginRadius Support Team with your site name and request activation. The feature will be enabled from the backend.
How is it different from client-side validation?
Client-side validation happens in the user's browser and helps provide a smooth user experience. However, it can be bypassed using browser tools or by tampering with network requests. Server-side validation is enforced by the LoginRadius platform after data reaches the server. It cannot be bypassed and ensures your validation rules are always applied correctly.
| Client-Side Validation | Server-Side Validation | |
|---|---|---|
| Where it runs | In the user's browser | On the LoginRadius server | 
| Can it be bypassed | Yes | No | 
| Purpose | Enhances user experience | Enforces security and data integrity | 
| Speed | Instant feedback | Slight delay (request round-trip) | 
What fields are supported when server-side validation is enabled?
Server-side validation will apply to all fields that have validation rules defined in your LoginRadius schema, including:
- Required fields (e.g., Email, Username, Phone)
- Field formats (e.g., valid email structure, date formats)
- Minimum and maximum length restrictions
- Regex pattern validations (if configured)
- Password complexity and policy rules
- Custom fields (as long as rules are defined in your schema)
Note: Only fields defined in the schema are validated. Fields without rules or unconfigured fields will not be affected by this feature.
Password Management
Password management is critical to securing user accounts and preventing unauthorized access. Organizations can mitigate security risks associated with weak or compromised credentials by enforcing robust password policies. The LoginRadius Admin Console provides administrators with a suite of password management features, enabling them to define password rules, enforce security standards, and ensure compliance with best practices.
This document outlines key aspects of password management, including password expiration, password history, and password complexity. It also highlights default password policies, compliance checks, and password visibility settings to help organizations maintain strong security hygiene.
Password Management Features
- Password Expiration: Ensures users update their passwords periodically to minimize security risks.
- Password History: Prevents users from reusing previous passwords to maintain stronger security.
- Password Complexity: Enforces strong password creation by applying validation rules.
For detailed configuration steps and customization options, navigate to the Password Management Documentation
Multi-Factor Authentication (MFA)
Multi-factor authentication (MFA) enhances security by requiring users to verify their identity through multiple authentication factors. It provides an additional layer of protection against unauthorized access, ensuring the account remains secure even if one authentication factor is compromised.
MFA Authentication Methods
LoginRadius supports the following MFA methods:
- SMS OTP: A one-time passcode is sent via SMS for verification.
- Time-Based OTP: Users generate an OTP through an authenticator app.
- Email OTP: A verification code is sent via email.
- Security Questions: Users answer predefined questions for authentication.
- Push Notification: A push request is sent for approval.
- Passkey: Uses public-private key cryptography for phishing-resistant authentication.
- Backup Codes: Users generate backup codes for emergency access.
- Duo Authentication: Supports push notifications, SMS, and hardware tokens for MFA.
Please refer to the MFA Documentation in the LoginRadius Admin Console for detailed configuration steps.
Step-Up Authentication
Step-up authentication requires users to re-authenticate when performing sensitive actions, such as changing passwords or accessing critical data. This ensures that even if a user session is active, additional verification is required for high-risk operations.
For detailed configuration steps, navigate to the Step-Up Authentication Documentation.
Session Management
Session Management is crucial in securing user sessions by defining duration, managing token lifetimes, and mitigating risks like session hijacking. It balances user convenience and security by allowing organizations to enforce policies that regulate session behavior and expiration.
Administrators can configure session settings to determine how long a user remains authenticated before requiring re-authentication. This helps reduce unauthorized access risks while maintaining a seamless user experience.
Use Cases:
- Enforcing session timeouts for inactive users to prevent unauthorized access.
- Setting up automatic session expiration for highly sensitive environments.
- Implementing token refresh policies to balance security and usability.
Refer to the Session Management Documentation for comprehensive details on configuring session settings.
Risk-based/Adaptive Authentication
Risk-Based Authentication (RBA) enhances security by assessing user behavior and enforcing additional verification measures when unusual activities are detected. It dynamically evaluates risk factors such as location, device, IP address, and browser history to determine if further authentication is necessary.
By leveraging RBA, organizations can strengthen account security while maintaining a frictionless user experience for legitimate access attempts. When a login attempt appears suspicious, predefined security responses—such as multi-factor authentication (MFA) prompts, alerts, or access restrictions—are triggered to mitigate potential threats.
For detailed configuration steps, navigate to the Risk-based/Adaptive Authentication Documentation.
Privacy and Consent Management
As global regulations tighten around data protection, managing user consent and privacy settings has become essential for businesses. LoginRadius provides comprehensive tools to manage user consent, privacy policies, and access controls efficiently.
Consent Management
Consent Management enables businesses to obtain, manage, and store customer consent at various stages, such as registration, login, or throughout their lifecycle. This functionality ensures compliance with global data protection regulations, including GDPR and CCPA, while giving customers transparency and control over their data.
Use Cases:
- A company collecting user consent for marketing emails during sign-up.
- Allowing users to revoke previously granted consents via a self-service portal.
- Ensuring compliance with regional data protection laws by recording consent timestamps.
For detailed configuration steps, refer to the Consent Management Configuration Guide.
Privacy Policy Management
Privacy Policy Versioning allows businesses to track changes in their privacy policies, ensuring that customers acknowledge and accept the latest versions. This feature supports compliance with legal requirements and provides a structured approach to managing policy updates.
Use Cases:
- Notifying users of updated privacy policies and requiring re-acceptance before continuing.
- Maintaining a history of past privacy policy versions for audit purposes.
- Automatically enforcing updated policies based on user segments.
For detailed configuration steps, refer to the Privacy Policy Management Configuration Guide
Roles and Permissions
Roles and Permissions allow businesses to control access levels within their applications. Companies can enforce security measures and ensure appropriate access to system functionalities by assigning user roles and defining specific permissions.
Use Cases:
- Restricting access to sensitive data based on user roles.
- Allowing administrators to manage user permissions dynamically.
- Implementing context-based permissions for specific actions within an application.
For detailed configuration steps, refer to the Roles and Permissions Configuration Guide
Best Practices
- Enable MFA to add an extra layer of security and protect against unauthorized access.
- Implement Strong Password Policies to prevent weak or compromised passwords.
- Use Risk-Based Authentication to detect suspicious behavior and trigger additional verification.
- Enforce Secure Session Management to limit session duration and prevent hijacking.