We’ve said it before: your password is useless. The 2020 Verizon Data Breach Investigations Report underlines it: over 80% of the hacking breaches involved brute force or stolen credentials. If your whole identity is unlocked with just a string of text that is easy to guess or has been compromised in an earlier data breach, then your identity is not very safe, and neither is anything that it has access to.
Relying on the old-style username and password combo is dangerous. So why not make it so that your FileMaker solution does not need a password at all for login?
Since FileMaker 16, you have been able to use modern external Identity Providers (IdPs) to do the user authentication for you in the form of Microsoft Azure AD, Amazon, and Google accounts. And since FileMaker 17, you can basically use any provider that uses the OAuth2 variant of OpenID Connect. And many of these are now adopting the new WebAuthn protocol. For a quick primer on what that is, visit this very informative web site: https://webauthn.guide/
In short, you can now use a security key or token to use as the primary authentication factor or as one of the multiple forms of authentication you want to support.
Steven Blackwell and I have co-authored a new white paper in our OAuth series that describes how to use a Yubikey security key to log into our FileMaker solution.
And to underline the many options and choices you have in choosing your preferred Identity Provider, we are also showing how to configure Red Hat’s Keycloak as an on-premise IdP. This demonstrates you are not limited to cloud-only options like the ones we have used up to this point: Okta, Ping, OneLogin, MiniOrange, Auth0, or commercial on-premise authentication providers such as Active Directory and its AD FS.
This white paper complements the others in this series:
- How FileMaker Developers Can Extend Authentication Options With New Additional oauth2 Identity Providers in the FileMaker Platform (Using Okta)
- Addendum 1: Using Ping, the FDA Success Story
- Addendum 2: Using OneLogin
- Addendum 3: Using Security Keys and Tokens (and using Keycloak)
- Addendum 4: Using Active Directory Federation Services (AD FS)
You can also keep track of our content around modern authentication by using the OAuth tag on our web site. If you have any questions about how to implement this in your own FileMaker solution, our team is happy to help.
No SAML?
SAML is not supported directly by FileMaker Server. But depending on your choice of identity provider, you can use it as a broker to an identity provider that only supports SAML. Keycloak for instance – that we are using in addendum 3 – supports that. One of our future white papers will show this in action.