How secure are passwords with OneLogin?

OneLogin deals with two different types of passwords: the user's OneLogin password and application passwords. The OneLogin password is never stored in the system and is used as the encryption key for all a user's application passwords. The encryption algorithm used is AES-128, which is believed to be practically unbreakable and has been adopted by the U.S. Government as a standard. In the worst case scenario where an intruder would gain access to OneLogin's database and all the encrypted application passwords, they would be impossible to break since the encryption key is not stored anywhere on OneLogin's system.

What is strong authentication?

Strong authentication is when you must use multiple authentication factors to authenticate. OneLogin users also have the option to use Yubico's YubiKey to generate a one-time password in addition to entering username and password. This is more secure because another person can't log into your account if they somehow got hold of your username and password. They must also have your YubiKey in their possession.

What if I lose my OneLogin password?

Under normal circumstances, you can recover your password via email. If you are using the 'user password' encryption policy, your admin will have to submit the master key to re-encrypt all your application passwords. Don't forget your password.

What happens if the admin loses the master key?

Do not lose the master key. Burn the master key on two CDs, print it out on paper and put it all in a safe. Do not lose the master key.

Can I use OneLogin for personal sites?

Yes, although you register using your work email address, you can add personal logins for apps like Facebook, Twitter, LinkedIn etc. Your personal logins are completely private to you. Not even your administrator can see them.

How does OneLogin store passwords?

All passwords are stored encrypted using AES-128 and are never transmitted in clear text. On the paid plans, application passwords are encrypted with each user's own password, which makes it impossible even for OneLogin to decrypt them. The user's encryption key is never stored anywhere and only kept in memory in the browser while the user is logged into OneLogin. Passwords are decrypted just-in-time before the user is logged into an application.

Does OneLogin work with OpenID?

OneLogin is an OpenID provider and automatically issues every user an OpenID. Because OneLogin already knows about the user's intent to log into an application, the user will never experience an extra authentication step on an external site, which is what so often happens with OpenID.

What if OneLogin doesn't support the application I use?

OneLogin has a built-in suggestion feature and we will add any business application that you suggest, but you can also use our connector wizard to create custom connectors for custom in-house applications.

Does OneLogin work with apps behind the firewall?

OneLogin is able to work with any web application even if it's placed behind your firewall. If you are using an application that we don't yet support, we will add it to our list. You can also build custom connectors for in-house applications and we will help.

Why does OneLogin use a browser extension?

The browser extension significantly improves the user experience of single sign-on. Some single sign-on solutions require that you access all applications from a central place, but these days users often launch applications by clicking on a link in an email. OneLogin's browser extension detects this and takes you directly to the piece of information you were looking for.

Does OneLogin work with behind-the-firewall software like Splunk and JIRA?

Yes, OneLogin already supports a number of applications that can be installed behind the firewall. All that's required is for the application to be browser-based.