Secure authentication

Share: TwitterFacebookPinterestLinkedin

Authentication is all about validating the identity of an entity like a user or system. The authentication merely returns two values, True or False, providing the entity access or not. By authenticating the entity, you are sure that the identity is correct and that the entity is allowed to access a system (or application). When the authentication procedure is finished, the authorization procedure starts, providing the entity with the correct access (or rights) within a system. The way authentication is performed may vary from system to system depending on the classification of the system the entity needs to access.

How

When implementing a secure authentication process, it is important the consider the following:

  • Do not display an information that might be sensitive before the entity is authenticated and the log-on procedure has been successfully finished. This includes any information about the system that the entity wants to log-on to, avoiding an unauthorized entity with any unnecessary assistance.
  • Display a general notice warning that the system should only be accessed by authorized users. Depending on your type of organization and jurisdiction, this might be a regulatory requirement.
  • Only validate the provided log-on information after completion of all input needed to authenticate a entity. This way you prevent unauthorized users with information about valid log-on accounts.
  • Protect your system against brute force attacks. To prevent brute force attacks you can use CAPTCHA, resetting the password, or even blocking the user after a number of failed attempts.
  • Make sure you log all successful and unsuccessful log-on attempts so you can always check who (tried) to log-on to a system at what time and correlate this with other logging you might have, preferably using a Security Incident and Event Monitoring (SIEM) tool.
  • Do not display a password in clear text when it is entered by the user. Of course, it can be required to de-activate this functionality, but this should be set by the user. The default should be to mask the password entered.
  • Do not transmit the password in clear text over a network as it can be captured by others who have access to this network.
  • When a session is inactive from a certain amount of time, you need to terminate this session, especially when the information in that system has a high classification level.
  • When the system is only accessed at specific times, like only during office hours, you can disable the access to that system. You can shutdown the system itself, only the log-on module, or disable the network connection. This prevents any unauthorized access when you are not looking and the system is not needed.

There are multiple ways to authenticate an entity. These include passwords, two-factor authentication, biometric data such as fingerprints, facial recognition, voice recognition, iris scans, and other forms of authentication. Each method has its own pros and cons, and it is important to choose the most appropriate option for the situation. Passwords are usually the most commonly used form of authentication and should be long and complex enough to make them difficult to guess. Two-factor authentication requires a second verification code or factor before access is granted, while biometric data such as fingerprints and iris scans are more secure since they are unique to each individual.

Risks

The risks when setting up secure authentication include the use of weak passwords, using the same password for multiple sites, and not using two-factor authentication. Weak passwords can be easily guessed or hacked, while using the same password for multiple sites makes it easier for malicious actors to gain access to your data. Not using two-factor authentication means that even if your password is guessed or hacked, the malicious actor will not have access without the second verification code or factor. It is important to use strong passwords, use different passwords for each account, and use two-factor authentication whenever possible in order to protect your data.

Example Control Ruleset

When the following controls are used, you should be compliant for this topic:

  • Setup of encrypted communication to protect data during transmission
  • Usage of strong passwords with a minimum length that contain a mix of upper and lower case letters, numbers, and symbols
  • Setup two-factor authentication where possible
  • Session timeouts have been set so that idle connections are automatically closed
  • Logging of user actions to monitor for suspicious activity
  • Having an appropriate user access policy that outlines the expected levels of security and acceptable use of data

Related links

Secure Azure AD on Microsoft Azure
Security best practices in IAM at Amazon AWS
Authentication on Google Cloud