Safeguarding Access to Systems and Services
Introduction
Secure authentication mechanisms are essential for verifying the identity of users, software processes, and other entities before granting access to systems, applications, and services. By choosing appropriate authentication techniques and procedures, organisations can protect against unauthorised access and reduce the likelihood of data breaches.
Purpose
The goal of secure authentication is to ensure that only authorised individuals or entities can access confidential information, systems, and applications. This is accomplished by implementing controls that match the sensitivity of the data, establishing strong authentication methods, and employing multiple security layers where necessary.
Selecting Appropriate Authentication Methods
Assess Information Sensitivity
Align the strength of authentication with the classification of information being accessed. More sensitive data may require more robust authentication mechanisms.
Multi-Factor Authentication (MFA)
Combine factors such as what you know (e.g., passwords), what you have (e.g., security tokens), and what you are (e.g., biometrics) to reduce the risk of unauthorised access.
Consider dynamic MFA policies that prompt for additional factors under certain circumstances, such as an unusual location, device, or time.
Biometric Considerations
Invalidate compromised biometric data to maintain trust in the authentication system.
Provide alternative or fallback methods to account for scenarios where biometric authentication is unavailable.
Secure Log-On Procedures
Minimal Disclosure
Avoid displaying sensitive system or application information until after a successful log-on.
Present a general warning that only authorised users should access the system.
No Detailed Error Messages
Do not reveal which part of the credential is incorrect during log-on failures, preventing attackers from pinpointing weak spots.
Validation and Protection
Validate log-on information only after all input data is submitted.
Use measures such as CAPTCHAs or account lockouts to deter brute force attempts.
Logging and Alerting
Record both successful and unsuccessful authentication attempts.
Generate alerts when suspicious activity is detected (e.g., multiple consecutive failed attempts).
Inform users (on a separate channel or via on-screen prompts) of previous log-on activity, including unsuccessful attempts.
Password Management
Hide password input to prevent shoulder-surfing. In certain situations (e.g., accessibility), partial visibility may be allowed.
Prohibit sending passwords in clear text over a network.
Session Termination
End inactive sessions after a predefined period, particularly for high-risk environments such as public areas or unmanaged devices.
Restrict connection durations for high-risk applications to narrow the opportunity window for unauthorised access.
Additional Considerations
Employ strong encryption methods to secure transmission of authentication data.
Integrate incident response procedures to promptly handle suspected credential compromises.
Review authentication logs regularly to identify anomalies.
Refer to ISO/IEC 29115 for guidance on entity authentication assurance.
Conclusion
A well-designed authentication strategy is a foundational element of any robust information security programme. By selecting suitable techniques, implementing multi-factor authentication, protecting log-on procedures, and enforcing stringent session management policies, organisations can effectively safeguard their most sensitive resources and enhance overall trust in their security posture.
Comments