Secure Access Control in Uncertain Times: Why a European-Built Stack Matters
Secure Access Control in Uncertain Times: Why a European-Built Stack Matters
Infrastructure and security teams today are operating in a context shaped by geopolitical instability, shifting regulations, and increasing scrutiny over digital supply chains. While technical requirements for authentication and access control are well understood—resilience, traceability, compatibility—there is now an added layer of concern around software origin, jurisdiction, and external dependencies. The goal here is to understand why a European-built stack matters by defining an architecture based on deterministic software, free from foreign dependencies, and fully controlled by the operator—ensuring digital sovereignty across any environment or jurisdiction.
This article outlines current challenges in secure access management and how RCDevs Security, a European-based software editor, addresses them through its self-contained solutions: OpenOTP for centralized authentication and SpanKey for SSH key management. The goal here is to understand why a European-built stack matters by defining an architecture based on deterministic software, free from foreign dependencies, and fully controlled by the operator—ensuring digital sovereignty across any environment or jurisdiction.
Problem Context: Software Origin & Operational Risk
Authentication and access systems are critical infrastructure. They determine who can interact with what systems, when, and how. As such, their trustworthiness depends not only on encryption strength or protocol compliance, but also on who builds them, where they are hosted, and whether their behavior is auditable.
Common risks observed in current access control platforms:
- Reliance on third-party or cloud-managed identity services
- Exposure to foreign legal frameworks (e.g., U.S. CLOUD Act)
- Dynamic behavior due to silent updates or vendor-side logic
- Inability to isolate or air-gap critical components
- SSH key sprawl and lack of expiration enforcement in Linux fleets
- Reliance on transatlantic cable infrastructure
These risks are not purely technical—they reflect a combination of architecture decisions, vendor dependencies, and deployment models. For teams seeking to reduce operational uncertainty, control over the identity stack has become a necessary consideration.
Component Overview: RCDevs Security (EU-Based Stack)
RCDevs is an editor operating entirely in Europe. Its products are developed, tested, and maintained internally in Luxembourg, with no outsourced development, or cloud-bound service layers.
Key software components:
- OpenOTP – Centralized authentication server with multi-protocol support
- SpanKey – SSH key lifecycle management for Linux and Unix systems
All components can be deployed on-premise, with no required external communication (if required) or as a SaaS (hosted in Europe). Support is provided directly by the internal engineering team, within EU legal and data protection frameworks.
OpenOTP: Authentication Logic and Identity Federation Under Operator Control
OpenOTP is an MFA and identity management platform designed for integration with existing directory services such as LDAP and Active Directory. It supports common protocols including:
- RADIUS
- LDAP
- SAML 2.0
- OpenID Connect (OIDC)
- OAuth
- PAM for Linux systems
OpenOTP can also function as a meta-identity platform, allowing organizations to integrate multiple external Identity Providers (IdPs) and cloud IAM systems—including Okta, Entra ID (Azure AD), Ping Identity, and others—through native protocol support. This enables uniform application of OpenOTP’s authentication features across heterogeneous identity environments.
To improve resilience, OpenOTP can maintain a local shadow copy of identity data, including credentials such as passwords and tokens. This allows authentication processes to continue operating even during cloud outages or loss of connectivity to Entra ID—ensuring consistent access control across both connected and disconnected environments.
Use cases include:
- Applying centralized MFA policies to external IdPs that do not natively support certain authentication methods
- Extending OpenOTP’s features (e.g., TOTP, WebAuthn, Push Login) to users managed in third-party IAMs
- Bridging multiple identity systems in organizations with hybrid or fragmented environments
- Supporting post-merger integration without requiring immediate user migration or restructuring
This model is especially applicable for companies undergoing mergers or acquisitions, where different business units may rely on incompatible identity infrastructures. Instead of consolidating directories or migrating users—both of which introduce cost, time, and potential security gaps—OpenOTP enables cross-platform authentication enforcement through federation.
Supported authentication factors include:
- TOTP and HOTP (hardware/software tokens)
- FIDO2 / WebAuthn (passkeys)
- Push login (via RCDevs OpenOTP Token mobile app)
- Presence Based Logical Access (reduces your attack surface with mobile badging)
- Smart cards and PKI
- YuiKeys
- Passwordless login
- SMS & email
OpenOTP is fully self-hosted, supports high-availability deployments, and can operate in offline or segmented environments. Audit logs, authentication workflows, and user policies are locally managed in WebADM and exportable for compliance tracking.
SpanKey: Managing SSH Keys at Scale
SpanKey provides centralized SSH key provisioning and access control based on user and group policies defined in LDAP or Active Directory. It uses a PAM module and a local agent to enforce policy-defined access rules directly at the operating system level.
The system addresses typical challenges in Linux server environments, including unmanaged key sprawl, inconsistent access policies, and lack of audit visibility.
Features include:
- Retrieval of authorized public keys from LDAP user attributes
- Automatic removal of keys when user accounts are disabled or removed from relevant groups
- Policy enforcement per host, user group, or directory path, enabling differentiated access rules across environments
- Auditing of SSH logins and access attempts, including timestamped records of user sessions
- Support for key expiration and rotation, with enforcement based on directory metadata or policy
- Graphical session recording for SSH and remote terminal sessions, stored centrally for review and compliance audits
- Centralized sudo policy management, using LDAP group membership to control command-level privilege escalation without relying on local sudoers files
- Support for shared system accounts (e.g.,
root,apache) with login attribution based on the authenticating LDAP user, allowing accountability even when using non-personal accounts
SpanKey is designed for integration into existing directory structures and operates independently of external services. Its modular architecture allows it to scale across large Linux environments while maintaining consistent policy enforcement and auditability.
When used in combination with OpenOTP, additional controls such as MFA enforcement for SSH and sudo actions can be layered onto this framework.
Architectural Considerations
The RCDevs stack is designed around several operational principles:
- Determinism: No background code execution, cloud callbacks, or runtime behavior changes without admin intervention.
- Isolation: All components are deployable in closed networks.
- Traceability: Authentication decisions and key-based logins are logged and attributable.
- Policy centralization: Access control logic lives in a single directory-backed model.
- No external service dependency: No APIs or infrastructure outside the EU.
This model may be relevant for teams designing for zero-trust architectures, segmented networks, or high-compliance sectors such as critical infrastructure, finance, or government systems.
The changing global context has redefined what “secure” means in authentication systems. Security teams must now evaluate access control infrastructure not only for feature sets, but also for legal exposure, supply chain independence, and operational control.
RCDevs offers a set of access control components—OpenOTP for authentication and SpanKey for SSH key management—that address these concerns from a design and jurisdictional perspective. Built and maintained entirely within Europe, these tools align with requirements around data sovereignty, deterministic software behavior, and full operator control.
This architecture may be useful to consider for environments where long-term predictability and internal control over authentication logic are required. RCDevs offers an appliance with a freeware license (up to 25 users) for smaller companies needing security without breaking the bank. It is also the perfect way to PoC easily!
