Edge Guard
Protect your business at the edge of your customer identity stack
Next Identity Secure protects your customers, your service and your business at every layer of the customer identity stack. Edge Guard is a suite of modern security capabilities developed to offer protection at the gateway to your customer identity stack—before threat actors can reach customer data, or even impact service performance.
Web Application Firewall
All Next Identity traffic is protected by a global web application firewall (WAF) specifically tuned to detect and deflect threats to customer identities.
Rate Limiting
Rate limits regulate the excessive use of resources by individual applications, ensuring service accessibility for all users. Rate limits are an essential tool that, in conjunction with Web Application Firewalls (WAF) and user risk indicators, help mitigate risks from malicious actors and boost service reliability.
Without rate limits, an Application could be prone to accidental or deliberate excessive requests, potentially disrupting service for other applications. Rate limits safeguard against these vulnerabilities by managing the volume of requests and maintaining service stability.
Rate Limit Types in Next Identity
Per Environment, Client, and Endpoint Rate Limiting
Next Identity's platform supports custom API rate limit configurations for various environments and clients. Our algorithm parameters include:
- Throughput: The speed at which the system processes requests (API requests/second).
- Burst Capacity: The greatest number of requests the system can manage before rejecting new ones.
The Next Identity platform has a series of rate limiting controls in place to provide both throttling/burst capacity for events and protection across the landscape from noisy neighbors. When any environment, client or endpoint surpasses the configured throughput and burst capacity, simultaneous responses from our APIs and our internal alert systems will trigger warnings to notify of the rate limit breach.
Auth Flow Endpoint Limits (Token and OTP)
To prevent misuse, specific auth flow endpoints (token and OTP) have additional restrictions that can be configured at both the environment and client levels:
- Allowed Attempts: The number of token/OTP attempts allowed within a specified time period (in seconds).
- Time Period: The duration within which the attempts can be made (in seconds).
- Lockout Period: The lockout duration after the maximum number of attempts is reached (in seconds).
By default, OTP and Token endpoint protections are configured as environment variables, but they can be overridden at the client level if necessary.
The different rate limit configurations are outlined below.
Rate Limit Type | Description |
---|---|
Global | Global rate limits determine the total requests allowed in a single customer environment, regardless of property or endpoint. |
Property | Properties are a particular collection of clients that share the same business goal. Setting up a Property level rate limit will ensure that all those clients are protected under the same rules. |
Client | Each client id has a set of configurations and rules, including the allowed number of requests per given time period. Each request is checked against the rule set. If any of the rules are violated, such as a rate limit exceeded error, the service returns such a response. |
Endpoint | Endpoint rate limiting controls the number of requests an endpoint can handle per minute regardless of the user ID, ensuring that no single endpoint is overwhelmed by traffic. This may be configured in either the Global or Client level of an organization. |
IP Address | Next Identity limits the number of requests that can originate from a single IP address. |
Login Attempts | Number of login attempts allowed during Login Attempts Threshold |
Login Attempts Threshold | Time window for Login Attempts |
Registration Attempts | Number of registration attempts per IP address per Register Attempts Threshold |
Registration Attempts Threshold | Time window for Registration Attempts |
Security Ops
Next Reason's 24x7 team of operations engineers monitor signals, respond to performance and security alerts, and continuously tune your perimeter using realtime threat intelligence to inform automated and manual responses to detected customer identity threats.
Updated 5 months ago