Authentication

Authentication is the process of verifying the identity of the users accessing an organization's systems: it's just checking that you are who you say you are when you log into company systems. Authentication ensures that only legitimate users get access, and help keep a record of who actually performed a specific action.

Password and credential management

Passwords are still the foundation of authentication and the focus of most compliance requirements.

But things have changed: we used to rely solely on basic authentication using username/password combinations, making password policies critical. Now, with multi-factor authentication and passkeys becoming mainstream, authentication requirements are evolving.

Common compliance requirements

• Minimum password length
• Minimum password complexity
• Requirements for password generation, e.g., must be random
• Frequency of password rotation
• Restrictions on password reuse
• Restrictions on password sharing
• Restrictions on password storage, e.g., using a password manager
• Storage of passwords at rest, including encryption, salting, and hashing
• Process for initially assigning a password
• Process for resetting a password

Compliance frameworks do not typically have requirements for what happens if a password is discovered to be compromised, or discovered in a data breach. Needless to say, you should rotate it and may need to treat it as an incident.

Multi-Factor Authentication (MFA)

Multi-factor authentication requires users to provide multiple ways to verify their identity before gaining access. MFA is typically some combination of something you know (like a password), something you have (like your phone), and something you are (like your fingerprint).

Multi-factor authentication (MFA) is more commonly referenced than two-factor authentication (2FA), since multiple factors could be required.

Common compliance requirements

• Acceptable types of factors
• Situations requiring MFA, e.g., remote access, privileged actions, or sensitive data access
• Time-based expiration of a factor
• Requirements for storage and transmission of factor secrets, e.g., bound to hardware
• Process for enrolling a factor
• Process for verifying a factor
• Backup authentication process for when MFA is unavailable

Session management

Session management decides how long after login a user's authentication remains valid, and when they must re-authenticate. This helps prevent unauthorized access through abandoned or hijacked sessions.

Common compliance requirements

• Maximum session duration
• Session timeouts for inactive users
• Session timeouts during logout
• Limits on concurrent sessions, i.e., simultaneous logins
• Situations requiring re-authentication, e.g., sensitive actions
• Restrictions on remembered devices, e.g., "Remember this device", "Remember me", or "Save my ID" to save authentication details in browser cookies

Authentication attempts

Limiting the number of authentication attempts helps prevent automated brute force attacks, such as credential stuffing.

Common compliance requirements

• Locking out accounts after a number of failed authentication attempts
• Cooldown periods for locked-out accounts
• Process for unlocking locked-out accounts
• Alerts for failed authentication attempts
• Abuse protection for automated login attempts, e.g., reCAPTCHA

Service accounts

Service accounts are credentials used by services or applications to access resources, including for service-to-service communication. Service account credentials are typically API keys or certificates.

Common compliance requirements

• Minimum complexity of credentials, i.e. randomly generated
• Encrypted storage of credentials
• Frequency of credential rotation
• Restrictions on interactive logins, i.e. these credentials should not be used to log into a user account
• Inventory of service accounts
• Logging and monitoring of service account usage