Skip to main content

Endpoint Security Posture

With Bravas, all your online identities are secured by the trust we can put in your managed devices. Hence, ensuring the security posture matches the risks you are facing is important. As we shared in our vision, we intend to build Bravas as a solution anticipating most needs and helping you to focus on functional needs. Which means some of the security is enforced by Bravas and you cannot disable them. And some are at hand to make it compliant with your market regulations.

What Is Mandatory With Bravas

Currently, Bravas only supports devices considered as assigned devices. Each device is used by a single user on a daily basis (IT access does not count). We do not support devices that are shared (one session used by many operators) or multi-user situations (like a classroom).

In that context, all devices enrolled to Bravas will be required to:

  • be encrypted
  • and to have a device's passcode

In the future, when we introduce support for shared and multi-user scenarios, we will adapt some of those requirements for those specific contexts. But for assigned devices, passcodes and encryption are mandatory.

What You Can Configure

Straight out of the box, Bravas requires a simple 6-digit passcode on all devices. You can edit the complexity requirements per kind of device.

Supported kinds of devices are smartphones, tablets and computers. So far, we have not made any distinctions between a laptop and a workstation. And we strive, as much as we can, to not expose differences between managed OS as this will not be scalable for you.

The device's passcode complexity can be set to:

  • require more signs
  • require the passcode to be alphanumeric
  • require the passcode to have non-alphanumeric symbols
  • refuse the simple values (repetitive symbols, ascending or descending sequences, etc.)

You can also configure the idle period before a screen lock and the grace period after a screen lock before a passcode are requested to unlock the device.

What you cannot enforce and why

We currently do not allow a setting enforcing passcode expiration. Passcode expiration is a legacy of behavior that does not contribute positively to your security posture. It is actually proven that password expiration policies lower your security posture by pushing your stakeholder to adopt pattern-based passwords which can be guessed by attackers.

As far as we know, all market regulations have been updated and now agree that passcode expiration is not needed but two-factor authentication is.

By design, all access to Bravas uses two factors:

  • having access to a trusted device (enrolled device with a security certificate in a secure enclave or authentication token)
  • knowing the passcode of that specific device

Someone with a Mac and an iPhone will not have the same passcode for both. And none of those passcodes are synchronized to any cloud. Which means they cannot be attacked remotely nor brute-forced without physical access to the device.

If you are currently dealing with a security auditor that is not using up-to-date knowledge and wants to give you a penalty for not having periodic passcode renewal, contact us immediately, and we will provide you with all the support needed to defend our position during your audit.