Research Workspace Broker - Security
Here we explain which security measurements are taken. And how to report a security problem to the developers.
In order to login as a researcher, you need a SurfConext account, which should be given by the university where you work. Therefore the VRE Broker does not know or store a researcher password. And password changes should be done at the university account settings.
The SurfConext authentication is multi factor.
When the researcher is logged in, the session stays active as long as the browser window is open. When the browser is closed, the login session is terminated. And a new login is enforced.
There are a few special users that can login without using SurfConnext. Those accounts are special system accounts. Think of a Django admin user, a user for VRW integration. Those accounts are used mainly for machine to machine communication.
In order to integrate with external services, it could be needed to store sensitive data like passwords or security tokens. All those sensitive information is stored encrypted in the database using the following settings https://django-cryptography.readthedocs.io/en/latest/settings.html