Enterprise IAM Platform Features: Security Without Per-User Costs

LoginMaster's architecture is based on two fundamental components: the Tenant and the Cloud. The tenant is the customer entity that contains users and credentials. It communicates with the LoginMaster Cloud via dedicated cryptographic keys. Each project has its own key to communicate exclusively with its tenant. This separation ensures that each customer's data is isolated and protected by independent cryptographic keys.

LoginMaster's authentication token is signed by both the Tenant and the Cloud, ensuring authenticity on both sides of the communication. This dual-signature mechanism ensures that the token cannot be forged even if one side is compromised. Additionally, the communication between client and API uses a separate cryptographic certificate, adding an extra layer of protection independent from the token's signature.

No, 2FA on LoginMaster is configurable for each individual project. It can be set as disabled, optional, or mandatory depending on the project's security requirements. The user enables 2FA only if at least one project in their tenant requires it. The system is based on TOTP and is compatible with Google Authenticator and similar applications, offering a balance between security and practicality.

LoginMaster supports Single Sign-On authentication with Google Workspace and Microsoft Entra ID. These two providers cover the vast majority of corporate environments and allow your users to access tenant projects with the corporate credentials they already use daily, without having to manage separate passwords.

No. On LoginMaster, no administrator can reset passwords, change emails, or disable a user's 2FA. Only the user themselves can perform these operations through secure procedures. This principle of exclusive user control prevents identity theft and protects users even if an administrative account is compromised.

Customer personnel have a single account on the tenant and can access various projects upon confirmation by the project admin or tenant admin. Each project supports user and device subject types, with API keys for server-to-server communication. By Q2 2026, AWS IoT integration will be available to manage IoT device credentials from the same panel. The admin controls who can access which project.

Users' personal data resides exclusively on the customer's Tenant. The LoginMaster Cloud never contains readable information: it operates only on encrypted data and references. Not even the provider can access the data. Credentials are protected with advanced hashing and a cryptographic separation mechanism that distributes components across multiple entities, so no single component possesses the information to reconstruct them.

LoginMaster's white-label feature allows each tenant to customize logo, colors, and company name in the authentication interface. Linked projects automatically inherit the tenant's branding, so your users will see a login experience consistent with your organization's visual identity, without knowing that the underlying platform is LoginMaster.

Yes. Each tenant configures conditional access policies that adapt authentication requirements to context: user role, project sensitivity, subject type (user or device), enabled SSO providers, authorized registration email domains, session duration, and the failed login attempt threshold before lockout. 2FA can be made mandatory for specific roles and projects, applying stricter controls where the risk is higher while keeping access smooth in low-risk scenarios.

Adaptive MFA modulates the second-factor challenge based on the access risk level, instead of applying the same rule to all users. With LoginMaster you define at the tenant policy level when TOTP 2FA is mandatory -- for example for administrative roles or critical projects -- and when it remains optional. This Zero Trust approach strengthens security on sensitive access without burdening the experience of low-risk users, in line with NIS2 and ISO 27001 requirements.

Yes. With federated Single Sign-On to Google Workspace and Microsoft Entra ID, your users sign in without a dedicated password to create, manage, or forget: they use the corporate credentials they already have. On top of that sits a zero-knowledge architecture where passwords are never recoverable or accessible to anyone, a phishing-resistant foundation onto which the evolution toward FIDO2/WebAuthn passkeys is built.

Passkeys are passwordless credentials based on the FIDO2/WebAuthn standards: a cryptographic key pair where the private key stays on the user's device and is unlocked with biometrics (fingerprint, face) or a PIN, with no shared secrets to steal or intercept. They are phishing-resistant by design. Today LoginMaster delivers a passwordless experience through federated SSO and a zero-knowledge credential model; native FIDO2/WebAuthn passkey support is on the platform roadmap.

Today LoginMaster enables automated user provisioning and deprovisioning through its REST API and TypeScript/.NET SDKs: you can create, update, link to projects, and deactivate accounts by integrating the platform with your HR system or identity provider, and receive real-time webhooks on access events. Support for the SCIM 2.0 standard for automatic synchronization with providers such as Okta and Microsoft Entra ID is on the platform roadmap.

The entire joiner-mover-leaver cycle can be automated. On entry (joiner) you create the account and project links via API; during tenure (mover) you update roles and access and receive webhooks when context changes; on exit (leaver) you revoke project access, API keys, and sessions in a single operation. The exclusive user-control model ensures that sensitive data such as passwords and 2FA always stays under the person's control, while the administrator governs project membership and permissions.