This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 A.5.17 Authentication information.
ISO 27001: 2022 Control Description
Allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information.
Purpose
To ensure proper entity authentication and to prevent failures in the authentication process.
Guidance on implementation
The allocation and management process should ensure that:
a) Personal passwords or personal identification numbers (PINs) generated automatically during enrolment processes as temporary secret authentication information are non-guessable and unique for each person, with users required to change them after first use;
b) Procedures are established to verify a user’s identity prior to providing new, replacement, or temporary authentication information;
c) Authentication information, including temporary authentication information, is transmitted to users securely (e.g. over an authenticated and protected channel), avoiding the use of unprotected (clear text) electronic mail messages for this purpose;
d) Users acknowledge receipt of authentication information;
e) Default authentication information as predefined or provided by vendors is changed immediately following the installation of systems or software;
f) Records of significant events concerning the allocation and management of authentication information are kept, ensuring their confidentiality, with the record-keeping method being approved (e.g. by using an approved password vault tool).
User Responsibilities
Anyone with access to or using authentication information should be advised to ensure that:
a) Secret authentication information, such as passwords, is kept confidential. Personal secret authentication information should not be shared with anyone. Secret authentication information used in contexts linked to multiple users or non-personal entities should only be shared with authorised persons;
b) Affected or compromised authentication information is changed immediately upon notification or any other indication of compromise;
c) When passwords are used as authentication information, strong passwords should be selected according to best practice recommendations, for example:
- Passwords should not be based on anything that someone else can easily guess or obtain using personal information (e.g. names, telephone numbers, and dates of birth);
- Passwords should not be based on dictionary words or combinations thereof;
- Use easy-to-remember passphrases, including alphanumerical and special characters where possible;
- Passwords should have a minimum length;
d) The same passwords are not used across distinct services and systems;
e) The obligation to follow these rules is also included in terms and conditions of employment (see A.6.2).
Password Management System
When passwords are used as authentication information, the password management system should:
a) Allow users to select and change their own passwords, including a confirmation procedure to address input errors;
b) Enforce strong passwords according to best practice recommendations [see c) of "User Responsibilities"];
c) Require users to change their passwords at first login;
d) Enforce password changes as necessary, for example after a security incident or upon termination or change of employment when a user knows passwords for identities that remain active (e.g. shared identities);
e) Prevent the re-use of previous passwords;
f) Prevent the use of commonly used passwords and compromised username-password combinations from hacked systems;
g) Ensure that passwords are not displayed on the screen when being entered;
h) Store and transmit passwords in a protected form.
Password encryption and hashing should be performed according to approved cryptographic techniques for passwords (see A.8.24).
Other Information
Passwords or passphrases are commonly used types of authentication information and are standard means of verifying a user’s identity. Other types of authentication information include cryptographic keys, data stored on hardware tokens (e.g. smart cards) that produce authentication codes, and biometric data such as iris scans or fingerprints.
Requiring frequent password changes can be problematic as users may become frustrated, forget new passwords, write them down in unsafe places, or choose unsafe passwords. Providing single sign-on (SSO) or other authentication management tools (e.g. password vaults) reduces the amount of authentication information that users need to protect, thereby increasing the effectiveness of this control. However, these tools can also increase the impact of any disclosure of authentication information.
Some applications require user passwords to be assigned by an independent authority. In such cases, points a), c), and d) of "Password Management System" do not apply.