Secure Access Stack is a public-safe case study derived from real privacyIDEA deployment and productization work. It documents how complex MFA and identity infrastructure can be translated into a deployable, maintainable security offering for SMBs in Guatemala and LATAM.
This repository is intentionally architecture-led. It documents system design, delivery logic, regional fit, and business framing without exposing sensitive internal implementation details.
Many SMB environments need stronger authentication for VPNs, internal systems, and administrative access, but face three recurring barriers:
- international SaaS pricing that does not fit local budgets
- operational complexity in upstream identity tooling
- lack of adaptation to local infrastructure and compliance realities
In practice, the buyer is rarely purchasing "2FA" as a standalone feature. They are buying reduced exposure, better audit posture, lower operational friction, and a clearer operational model for identity control.
Secure Access Stack frames MFA and identity hardening as a productized operational layer rather than a raw software install.
It combines:
- MFA and token-based access control
- RADIUS-oriented integration patterns
- LDAP and directory-backed identity flows
- secure administration surfaces
- repeatable deployment and validation logic
- maintainability for small infrastructure teams
- Initial implementation: environment prep, identity integration, security baseline, operator handoff
- Ongoing operations: updates, validation, monitoring, incident support, operational maintenance
This turns identity hardening into a manageable service line rather than a one-time technical install.
+-------------------------+
| Users / Clients |
| VPN / Web / Admin UI |
+-----------+-------------+
|
HTTPS / RADIUS
|
+-----------v-------------+
| Access Surface |
| Reverse Proxy / WAF |
| Auth Challenge Entry |
+-----------+-------------+
|
+-----------v-------------+
| MFA Service Layer |
| Token Validation |
| Enrollment Flows |
| Policy Evaluation |
+-----------+-------------+
|
+-----------v-------------+
| RADIUS / Directory |
| Network Access Policy |
| LDAP / Identity Res. |
| Authorization Logic |
+-----------+-------------+
|
+-----------v-------------+
| Data and Cache Layer |
| Persistent Store |
| Session Management |
| Policy and Audit Data |
+-----------+-------------+
|
+-----------v-------------+
| Operations Layer |
| Validation / Health |
| Monitoring / Alerts |
| Audit Trail / Logs |
+-------------------------+
./validate.sh --check identity-integration
./validate.sh --check mfa-service
./validate.sh --check radius-policy
./health.sh --ping mfa-service --expect 200
./health.sh --ping radius --expect accept
./audit.sh --export last-30-days
./audit.sh --summary access-eventsThese commands are illustrative of the deployment and operations model. The repo documents architecture, not executable code.
The value is not only technical. The stack helps translate security requirements into deployable business outcomes:
- lower adoption friction
- better audit posture
- reduced exposure from weak authentication
- more maintainable identity infrastructure
- clearer operational ownership
Informed by a real implementation path: a deployable MFA and identity hardening stack built around privacyIDEA-oriented infrastructure, adapted for faster rollout and lower friction in Guatemala and LATAM operating contexts.
Key lessons from that implementation path:
- buyers respond to business outcomes more than protocol names
- local budgets and support realities materially affect architecture choices
- maintainability is often as important as feature breadth
- regional compliance and audit expectations shape the product framing
docs/architecture.md— public architecture, component responsibilitiesdocs/case-study.md— productized MFA implementation summarydocs/design-principles.md— framework intent and ecosystem relationdocs/regulatory-context.md— Guatemala and LATAM compliance contextdocs/use-cases.md— target scenarios and business outcomesdocs/roadmap.md— public direction and expansion areas
MIT — see LICENSE
Angel Esquivel — @aentrepreneur