Skip to main content
Skip table of contents

Identity and Access Management

MyQ X provides a comprehensive Identity and Access Management framework that integrates seamlessly with existing enterprise authentication systems while supporting modern security standards. The IAM architecture ensures secure, scalable, and flexible user authentication across diverse organizational environments.

Multi-Factor Authentication Implementation

MyQ X implements robust multi-factor authentication (MFA) capabilities that significantly enhance security by requiring multiple verification factors:

Embedded Terminal Authentication: Standard MFA methods include ID Card and PIN combinations, where users first present their physical ID card and then confirm their identity with a PIN code. Alternatively, ID Card and Password authentication provides similar two-factor security with password verification instead of PIN.

Mobile-Based Authentication: The MyQ X Mobile Client enables sophisticated MFA through QR code scanning combined with biometric verification. Users authenticate by scanning a QR code displayed on the embedded terminal, with additional security provided through biometric locks (Face ID or fingerprint) on their mobile devices.

Desktop Client Integration: Organizations using Microsoft 365 services benefit from integrated MFA through Entra ID authentication. Users with two-factor authentication enabled in their Entra ID accounts are automatically prompted to verify their identity using authenticator applications when accessing the Desktop Client.

OAuth 2.0 Device Authorization Grant

MyQ X supports the OAuth 2.0 Authorization Code Grant standard, enabling secure integration with modern identity providers and third-party applications:

Standard OAuth Flow: The system implements the complete OAuth 2.0 authorization framework including login page presentation, one-time access code generation, and secure token retrieval. Client applications receive bearer tokens with configurable expiration times and granted scopes.

API Integration Security: OAuth tokens must be provided for all API endpoint access, ensuring that third-party integrations maintain proper authentication. The system supports client ID and client secret validation with secure redirect URI matching.

Token Management: Access tokens include expiration controls (default 1800 seconds) and scope restrictions, providing granular control over API access permissions while maintaining security through token rotation.

Single Sign-On Integration Capabilities

MyQ X provides comprehensive Single Sign-On (SSO) integration that streamlines user authentication across enterprise environments:

Microsoft 365 Integration: Deep integration with Microsoft Entra ID enables seamless SSO for organizations using Microsoft 365 services. Users can authenticate using their existing Microsoft credentials, eliminating the need for separate MyQ passwords.

Enterprise Directory Services: SSO capabilities extend to various authentication servers including Active Directory, OpenLDAP, and Novell eDirectory, allowing users to leverage existing enterprise credentials for MyQ access.

Cross-Platform Authentication: SSO functionality works across all MyQ X components including Desktop Client, Mobile Client, and embedded terminals, providing consistent authentication experiences regardless of access method.

Role-Based Access Control (RBAC)

MyQ X implements sophisticated Role-Based Access Control that aligns with enterprise security requirements:

Granular Permission Management: The system provides detailed control over user permissions, allowing administrators to define specific access rights based on organizational roles and responsibilities.

Group-Based Administration: RBAC implementation supports both individual user permissions and group-based access control, enabling efficient management of large user populations through security group assignments.

Least Privilege Enforcement: Access controls follow the principle of least privilege, ensuring users receive only the minimum permissions necessary for their job functions while maintaining operational efficiency.

Entra ID Multi-Tenant Support

MyQ X provides robust support for Microsoft Entra ID multi-tenant environments:

Cross-Tenant Authentication: The system can authenticate users across multiple Entra ID tenants, supporting complex organizational structures with multiple Azure AD instances.

Tenant Isolation: Multi-tenant support includes proper isolation mechanisms that prevent cross-tenant data access while maintaining centralized MyQ management capabilities.

Hybrid Identity Management: Integration supports both cloud-only and hybrid identity scenarios, accommodating organizations with on-premises Active Directory synchronized to Entra ID.

LDAP and Active Directory Integration

MyQ X offers comprehensive LDAP and Active Directory integration capabilities:

Flexible Synchronization Options: The system supports multiple synchronization methods including full synchronization, selective attribute synchronization, and conditional synchronization based on LDAP filters. Administrators can choose between full replacement, add-only, or conditional updates for card and PIN properties.

Advanced Filtering Capabilities: LDAP synchronization includes sophisticated filtering options using standard LDAP filter syntax, enabling selective user import based on organizational units, group memberships, or custom attributes.

Group Structure Import: The system can import complete organizational structures including security groups, distribution groups, and nested group hierarchies from Active Directory, maintaining organizational relationships within MyQ.

Secure Authentication: All LDAP communications utilize TLS encryption to protect credentials and user data during synchronization. The system supports both traditional LDAP over TLS and secure LDAP connections.

Temporary PIN Management and Security Policies

MyQ X implements comprehensive PIN management and security policies:

Enhanced PIN Security: Version 10.2 introduces strengthened PIN security including mandatory 6-digit minimum length and prevention of easily guessable combinations such as "1234" or "1111".

Temporary PIN Issuance: The system supports temporary PIN codes that can be issued for specific time periods or single-use scenarios, providing additional security for guest access or temporary employees.

PIN Policy Enforcement: Configurable PIN policies allow organizations to define complexity requirements, expiration periods, and reuse restrictions that align with corporate security standards.

Failed Authentication Protection: Enhanced security includes automatic blocking of authentication attempts after repeated failures (default: 5 minutes blocking after 5 failed attempts within 60 seconds).

Biometric Authentication Support

MyQ X leverages modern biometric authentication capabilities through mobile device integration:

Mobile Biometric Integration: The MyQ X Mobile Client supports biometric authentication methods including Face ID on iOS devices and fingerprint recognition on Android devices, providing seamless yet secure access control.

Multi-Modal Authentication: Biometric authentication works in conjunction with device-based security, creating a multi-modal authentication system that combines something the user has (mobile device) with something they are (biometric characteristics).

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close