Skip to main content

Threat models and security profiles

Threat modeling is essential for securing a system like Ory Identities. This document provides guidelines for identifying and analyzing threats and implementing security measures for Ory Identities.

Working with and managing software that stores personal information carries risk. It's important to identify threats and understand the system's attack surface, the likelihood, and the impact of an attack.

Regarding Ory Identities, threats could include hackers or malicious insiders who may try to steal or manipulate personal information. To protect against these threats, it's important to implement appropriate security measures, such as strong authentication and access controls. Regular monitoring and quick response to security incidents are also crucial. When using Ory Network, defenses are provided as part of the platform's security infrastructure. For self-hosted instances of Ory Kratos Identity Server, reach out to Ory Support.

Digital identity guidelines

No universally accepted standard for digital identity exists.
Ory follows Digital Identity Guidelines established by the National Institute of Standards and Technology (NIST).
These guidelines are accompanied by a FAQ that provides answers to common questions.

Defenses against bots and automated attacks

Ory Network takes a proactive approach to combat bot and other automated attacks with bot detection and suspicious IP throttling. To detect bots and throttle suspicious IPs, Ory Network leverages the Cloudflare Web Application Firewall (WAF) and Cloudflare Bot Management services. These features are built into Ory Network and allow Ory to defend against automated threats without impacting the user experience.

When using Ory Network, these automated attack defenses are provided as part of the platform's security infrastructure. For self-hosted instances of Ory Kratos Identity Server, it's the responsibility of the administrator to implement and manage appropriate measures to maintain a secure environment. Reach out to Ory Support for help with this task.

Defenses against brute-force attacks

Ory Network provides Ory Identities with protection against brute-force attacks by rate limiting requests to API public endpoints, for example login and registration endpoints.

When using Ory Network, these defenses are provided as part of the platform's security infrastructure. When self-hosting the Ory Kratos Identity Server, it's the responsibility of the administrator to implement and manage rate limiting or other measures to ensure the security of the network. Reach out to Ory Support for help with this task.

Defenses against cross-site request forgery

Cross-site request forgery (CSRF or XSRF) is an attack where a malicious site tricks a user's browser into sending a request to another site without user consent. This can occur even without a user session in a login CSRF attack. In the context of Ory Identities, it's an attack vector that can be exploited to gain unauthorized access to a user account or perform actions on their behalf.

To protect against these attacks, Ory Identities uses various countermeasures, including the sameSite attribute and a dedicated anti-CSRF cookie using the synchronizer token pattern. The protected APIs are mainly the endpoints that accept the POST, DELETE, or PUT methods. For example, when an app renders a form, a <input type="hidden" name="csrf_token" value="..."> HTML input element is added. Ory Identities compares that value to the value set in the anti-CSRF cookie. If the values match, the request is allowed.

Password policy

By default Ory uses a password policy that follows the Digital Identity Guidelines established by the National Institute of Standards and Technology (NIST). To learn more about configuring up a password policy, refer to the password policy page for instructions and best practices.

OAuth 2.0 security

Ory OAuth2 and OpenID Connect is a certified OAuth2 and OpenID Connect provider. You can read more in the OAuth 2.0 security overview documentation.

CAPTCHAs

Ory Identities supports protecting the registration and login endpoints with CAPTCHA challenges. This is useful to prevent credential stuffing, brute force and other automated attacks.

Prerequisites

Before proceeding, ensure you are on a plan that supports this feature. If you need CAPTCHA support, please reach out.

Supported CAPTCHA providers are:

Cloudflare Turnstile widgets support a maximum of 10 allowed domains. When CAPTCHA is enabled, this list will be automatically populated with your currently configured custom domains. If your domain list exceeds this limit, you won't be able to enable CAPTCHA protection.

  1. Go to AuthenticationRegistration in the Ory Console.

  2. Toggle CAPTCHA protection.

  3. Click Save.

  4. Navigate to your registration or login screen to test the CAPTCHA protection.