This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 control A.8.5 Secure authentication.
ISO 27001: 2022 Control Description
Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control.
Purpose
To ensure a user or an entity is securely authenticated, when access to systems, applications and services is granted.
Guidance on implementation
A suitable authentication technique should be chosen to substantiate the claimed identity of a user, software, messages and other entities.
The strength of authentication should be appropriate for the classification of the information to be accessed. Where strong authentication and identity verification is required, authentication methods alternative to passwords, such as digital certificates, smart cards, tokens or biometric means, should be used.
Authentication information should be accompanied by additional authentication factors for accessing critical information systems (also known as multi-factor authentication). Using a combination of multiple authentication factors, such as what you know, what you have and what you are, reduces the possibilities for unauthorised accesses. Multi-factor authentication can be combined with other techniques to require additional factors under specific circumstances, based on predefined rules and patterns, such as access from an unusual location, from an unusual device or at an unusual time.
Biometric authentication information should be invalidated if it is ever compromised. Biometric authentication can be unavailable depending on the conditions of use (e.g. moisture or aging). To prepare for these issues, biometric authentication should be accompanied with at least one alternative authentication technique.
The procedure for logging into a system or application should be designed to minimise the risk of unauthorised access. Log-on procedures and technologies should be implemented considering the following:
a) not displaying sensitive system or application information until the log-on process has been successfully completed in order to avoid providing an unauthorised user with any unnecessary assistance.
b) displaying a general notice warning that the system or the application or the service should only be accessed by authorised users.
c) not providing help messages during the log-on procedure that would aid an unauthorised user (e.g. if an error condition arises, the system should not indicate which part of the data is correct or incorrect).
d) validating the log-on information only on completion of all input data.
e) protecting against brute force log-on attempts on usernames and passwords. For example, using completely automated public Turing test to tell computers and humans apart (CAPTCHA), requiring password reset after a predefined number of failed attempts or blocking the user after a maximum number of errors.
f) logging unsuccessful and successful attempts.
g) raising a security event if a potential attempted or successful breach of log-on controls is detected (e.g. sending an alert to the user and the organisation’s system administrators when a certain number of wrong password attempts has been reached).
h) displaying or sending the following information on a separate channel on completion of a successful log-on:
1) date and time of the previous successful log-on;
2) details of any unsuccessful log-on attempts since the last successful log-on;
i) not displaying a password in clear text when it is being entered; in some cases, it can be required to de-activate this functionality in order to facilitate user log-on (e.g. for accessibility reasons or to avoid blocking users because of repeated errors).
j) not transmitting passwords in clear text over a network to avoid being captured by a network "sniffer” program.
k) terminating inactive sessions after a defined period of inactivity, especially in high risk locations such as public or external areas outside the organisation’s security management or on user endpoint devices.
l) restricting connection duration times to provide additional security for high-risk applications and reduce the window of opportunity for unauthorised access.