Table of Contents

Authentication (SSO/MFA) Configuration - SOC2 Evidence

Document Version: 1.0
Date: July 25, 2025
Owner: Dominick Pham, CTO
Classification: Internal Use

Executive Summary

This document provides evidence of Qwestly's implementation of a comprehensive authentication strategy combining Single Sign-On (SSO) through Google Workspace and Multi-Factor Authentication (MFA) for systems that don't support SSO. Our hybrid approach ensures secure access to all business systems while maintaining user convenience and compliance with SOC2 requirements.

SOC2 Trust Services Criteria Addressed

Criteria	Control Objective	Implementation Status
CC6.1	Logical and physical access controls	✅ Implemented
CC6.2	System boundaries and data classification	✅ Implemented
CC6.3	Access control systems and procedures	✅ Implemented
CC7.1	System monitoring	✅ Implemented
CC7.2	Detection of security events	✅ Implemented

Authentication Strategy Overview

Primary Authentication Method: Google Workspace SSO

Coverage: All systems that support SAML/OAuth integration
Systems: Auth0, Supabase, LangSmith, Vercel, and other business applications
Benefits: Centralized identity management, reduced password fatigue, enhanced security

Secondary Authentication Method: MFA

Coverage: Systems that don't support SSO (e.g., personal GitHub accounts)
Implementation: TOTP-based MFA (Google Authenticator, 1Password, etc.)
Requirements: MFA mandatory for all business accounts

Detailed Implementation

1. Google Workspace SSO Configuration

Control Implementation:

Centralized identity provider through Google Workspace
SAML 2.0 and OAuth 2.0 integration with business applications
Automatic user provisioning and deprovisioning
Role-based access control through Google Groups

Technical Specifications:

SSO-Enabled Systems:
- Auth0 (SAML)
- Vercel (OAuth)
- LangSmith (OAuth)
- Slack (OAuth)
- Other business applications supporting SSO

MFA-Required Systems:
- Supabase (TOTP-based MFA)
- GitHub (personal accounts with work email)
- AWS Console (for privileged access)
- Password managers (1Password)
- Any system not supporting SSO

Security Measures:

Session Management: Configurable session timeouts
Access Logging: All SSO events logged in Google Workspace Admin Console
Account Security: Google Workspace security policies enforced
Device Management: Mobile device management for company accounts

Evidence Location:

Google Workspace Admin Console: SSO configuration and logs
Application-specific SSO settings
User provisioning documentation

2. Multi-Factor Authentication (MFA) Implementation

Control Implementation:

TOTP-based MFA for systems without SSO support
Backup codes provided for account recovery
MFA enrollment required during onboarding
Regular MFA status verification

Systems Requiring MFA:

- Supabase (TOTP-based MFA)
- GitHub (personal accounts with work email)
- AWS Console (for privileged access)
- Password managers (1Password)
- Any system not supporting SSO

MFA Enforcement:

Enrollment: Required within 24 hours of account creation
Verification: Quarterly MFA status reviews
Recovery: Backup codes stored securely
Monitoring: Failed MFA attempts logged and reviewed

Technical Configuration:

MFA Requirements:
  - TOTP app required (Google Authenticator, 1Password, etc.)
  - Backup codes generated and stored securely
  - MFA bypass not allowed for business accounts
  - Failed attempts trigger security alerts

3. Password Policy and Management

Control Implementation:

Strong password requirements for non-SSO systems
Password manager (1Password) for secure credential storage
Regular password reviews and updates
Account lockout policies

Password Requirements:

- Minimum 12 characters
- At least one uppercase letter
- At least one number
- No reuse of last 8 passwords
- Account lockout after 6 failed attempts
- Initial password change required on first login

Password Management:

Storage: 1Password for all business credentials
Sharing: Secure sharing through 1Password teams
Rotation: Quarterly password reviews
Recovery: Secure password reset procedures

4. Access Monitoring and Logging

Control Implementation:

Comprehensive logging of all authentication events
Real-time monitoring of suspicious activities
Regular review of access logs
Automated alerts for security events

Logged Events:

SSO Events:
- Successful/failed SSO logins
- User provisioning/deprovisioning
- Role changes and access modifications
- Session creation and termination

MFA Events:
- MFA enrollment and setup
- Successful/failed MFA attempts
- MFA bypass attempts
- Account lockouts

Password Events:
- Password changes and resets
- Failed login attempts
- Account lockouts
- Password policy violations

Monitoring and Alerting:

Real-time Alerts: Failed authentication attempts, suspicious logins
Daily Reviews: Authentication logs and security events
Weekly Reports: Access patterns and anomalies
Monthly Analysis: Trend analysis and security improvements

5. User Access Management

Control Implementation:

Role-based access control (RBAC)
Least privilege principle enforcement
Regular access reviews (quarterly)
Immediate access removal upon termination

Access Provisioning Process:

1. HR onboarding completion
2. Google Workspace account creation
3. SSO application access provisioning
4. MFA setup for non-SSO systems
5. Role-specific access assignment
6. Access documentation and tracking

Access Review Process:

Frequency: Quarterly reviews
Scope: All user accounts and permissions
Documentation: Review findings and actions taken
Remediation: Immediate removal of unnecessary access

Evidence Documentation

Screenshot Evidence Required

Google Workspace SSO Configuration
- Screenshot of SSO settings in Google Workspace Admin Console
- Screenshot of SAML/OAuth application configurations
- Screenshot of user provisioning settings
MFA Configuration
- Screenshot of MFA settings in supported applications
- Screenshot of MFA enrollment process
- Screenshot of backup code generation
Access Control Settings
- Screenshot of role-based access configurations
- Screenshot of password policy settings
- Screenshot of account lockout configurations
Monitoring and Logging
- Screenshot of authentication logs
- Screenshot of security event monitoring
- Screenshot of access review reports

Policy Documentation

Related Policies:

Key Policy Requirements:

MFA required for all business accounts
SSO preferred when available
Regular access reviews and monitoring
Immediate access removal upon termination
Strong password requirements for non-SSO systems

Testing and Validation

Control Testing Procedures

SSO Functionality Testing
- Verify SSO login works for all configured applications
- Test user provisioning and deprovisioning
- Validate role-based access assignments
- Confirm session management and timeouts
MFA Functionality Testing
- Verify MFA enrollment process
- Test MFA authentication flow
- Validate backup code functionality
- Confirm MFA bypass prevention
Password Policy Testing
- Verify password strength requirements
- Test account lockout functionality
- Validate password history enforcement
- Confirm secure password reset process
Monitoring and Alerting Testing
- Verify authentication event logging
- Test security alert generation
- Validate access review processes
- Confirm incident response procedures

Quarterly Testing Schedule

Test Type	Frequency	Responsible Party	Evidence Required
SSO Functionality	Quarterly	CTO	Test results, screenshots
MFA Verification	Quarterly	CTO	MFA status report
Access Review	Quarterly	CTO + CEO	Review documentation
Password Policy	Quarterly	CTO	Policy compliance report
Monitoring Validation	Monthly	CTO	Log analysis report

Incident Response and Remediation

Authentication Security Incidents

Types of Incidents:

Compromised credentials
Unauthorized access attempts
MFA bypass attempts
SSO configuration issues
Password policy violations

Response Procedures:

Immediate Response (0-1 hour)
- Assess incident scope and impact
- Contain affected accounts/systems
- Notify security team and management
Investigation (1-24 hours)
- Review authentication logs
- Identify root cause
- Document incident details
- Implement temporary controls
Remediation (24+ hours)
- Reset compromised credentials
- Update security controls
- Review and update policies
- Conduct lessons learned review

Remediation Actions

For Compromised Accounts:

Immediate password reset
MFA re-enrollment
Access review and modification
Security awareness training

For System Compromises:

SSO configuration review
MFA policy enforcement
Access control updates
Monitoring enhancement

Compliance and Audit

SOC2 Control Mapping

SOC2 Control	Authentication Control	Evidence Type
CC6.1	Logical access controls	SSO/MFA configuration, access logs
CC6.2	System boundaries	User provisioning, role assignments
CC6.3	Access procedures	Access management policies, procedures
CC7.1	System monitoring	Authentication logs, security monitoring
CC7.2	Security events	Incident response, alerting

Audit Evidence Requirements

Documentation Required:

Authentication policy and procedures
SSO configuration documentation
MFA implementation details
Access management procedures
Monitoring and logging configuration
Incident response procedures

Evidence Collection:

Screenshots of configurations
Log samples and reports
Policy documentation
Test results and validation
Incident response documentation

Continuous Improvement

Regular Reviews and Updates

Monthly Reviews:

Authentication event analysis
Security incident review
Policy compliance assessment
Technology updates and improvements

Quarterly Reviews:

Comprehensive access review
Policy effectiveness assessment
Technology evaluation
Training and awareness updates

Annual Reviews:

Complete policy review and updates
Technology roadmap planning
Compliance assessment
Risk assessment updates

Improvement Initiatives

Planned Enhancements:

Enhanced SSO integration for additional systems
Advanced MFA options (hardware tokens, biometrics)
Improved monitoring and alerting
Automated access management
Enhanced incident response capabilities

Conclusion

Qwestly's authentication strategy provides comprehensive security controls through the combination of Google Workspace SSO and MFA implementation. This hybrid approach ensures secure access to all business systems while maintaining user convenience and compliance with SOC2 requirements.

The implementation includes detailed monitoring, logging, and incident response procedures to ensure continuous security oversight and rapid response to potential threats. Regular testing and validation procedures ensure the effectiveness of authentication controls and compliance with security policies.

_private/qwestly-private-docs/SOC2/access-control/Authentication-SSO-MFA-Evidence.md

Authentication (SSO/MFA) Configuration - SOC2 Evidence

Executive Summary

SOC2 Trust Services Criteria Addressed

Authentication Strategy Overview

Primary Authentication Method: Google Workspace SSO

Secondary Authentication Method: MFA

Detailed Implementation

1. Google Workspace SSO Configuration

2. Multi-Factor Authentication (MFA) Implementation

3. Password Policy and Management

4. Access Monitoring and Logging

5. User Access Management

Evidence Documentation

Screenshot Evidence Required

Policy Documentation

Testing and Validation

Control Testing Procedures

Quarterly Testing Schedule

Incident Response and Remediation

Authentication Security Incidents

Remediation Actions

Compliance and Audit

SOC2 Control Mapping

Audit Evidence Requirements

Continuous Improvement

Regular Reviews and Updates

Improvement Initiatives

Conclusion