Threat models and security profiles

Threat modeling is essential for securing a system like Ory Identities. This document provides guidelines for identifying and analyzing threats and implementing security measures for Ory Identities.

Working with and managing software that stores personal information carries risk. It's important to identify threats and understand the system's attack surface, the likelihood, and the impact of an attack.

In the case of Ory Identities, threats could include hackers or malicious insiders who may try to steal or manipulate personal information. To protect against these threats, it's important to properly configure Ory and implement appropriate security measures, such as strong authentication and access controls. Regular monitoring and timely response to security incidents are also crucial.

Digital identity guidelines

There is no universally accepted standard for digital identity.
Ory follows Digital Identity Guidelines established by the National Institute of Standards and Technology (NIST).
These guidelines are accompanied by a FAQ that provides additional information and answers to common questions.

Defenses against brute-force attacks

Ory Network provides Ory Identities with protection against brute-force attacks by rate limiting requests to API public endpoints, for example login and registration endpoints.

When self-hosting the Ory Kratos Identity Server, it's the responsibility of the administrator to implement and manage rate limiting or other measures to ensure the security of the network.

Password policy

To learn more about setting up a secure password policy, refer to the password policy page for instructions and best practices.