Authentication means proving “who you are”. Users can do this by providing credential information like usernames, passwords, and codes generated from your unique (private) key. Attackers can also do this by stealing, guessing, or re-using known credentials.
Attackers are often gaining unauthorised access to systems by:
- run phishing campaigns that trick users into entering credentials into a fake login page
- re-use credentials they find from other websites
- run automated scripts to try and guess credentials
- use default credentials, set by vendors, which are easily found on the internet
- authenticate to a system using insecure protocols that allow them to bypass security controls, like multi-factor authentication (MFA).
Since attackers can use multiple techniques and tactics to gain unauthorised access, it is important to take a holistic approach when securing authentication to a system.
The intent of this control is for organisations to configure their authentication systems to prevent unauthorised access. The three main focus areas are:
- enabling MFA configurations across all accounts that have administrative access, are accessible from the internet, or are managed by a central identity provider
- disabling all default accounts, or resetting the passwords and storing them in a secure location
- disabling all legacy protocols and frameworks at the central identity provider level that are vulnerable or do not support MFA.
Implementing this control requires you to look at each of these areas in-depth, as well as having some operational processes across your environment as detailed below.
It’s important to tackle and implement measures for each area, and the success characteristics below will help you understand if it’s been implemented well.
As well as the success criteria for the focus areas, your organisation has:
- identified all of the different authentication methods used for each type of hardware and software used in the environment
- configured the logging to capture:
- administrative actions performed, including changing authentication settings or policies
- any logins into a default account
- multiple failed login and MFA attempts, and
- suspicious login attempts based on user’s previous login behaviour
- stored all logs in a central location and which are only accessible by those that require access.
- All internet-facing, administrative services, and central identity provider systems require users to enable MFA to access the system. Users are not able to access these systems without MFA.
- MFA methods used are free from known vulnerabilities and aren’t deprecated by standard setting bodies, such as NIST.
- The MFA authentication module you use is kept up-to-date for systems your organisation owns and manages. Any related dependencies of the module are also kept up-to-date. The infrastructure that the module runs on is hardened (unused ports are blocked and it is patched).
- Software and hardware implementation process includes disabling or changing passwords for default accounts.
- All default accounts that are available for the software and hardware your organisation uses have been disabled or have a new, unique, and long password set.
- All new, long passwords set for default accounts are stored in a secure location, such as a password manager. This should only be accessible by people who require access for their job functions (like a systems administrator).
Central identity provider
- All legacy protocols and frameworks are disabled by the central identity provider system. This includes protocols and frameworks with known vulnerabilities and those that don’t support MFA.
- Connected systems that use the central identity provider system for authentication use secure, up-to-date encryption, protocols and frameworks.
Key secure authentication takeaways
- Identifying all the authentication methods used for all the hardware and software in your environment can be hard and time consuming. Prioritise this work by looking at any internet-facing or business critical services first, then working on the rest.
- Each of these authentication security controls protect against different attack techniques. For example, MFA is a key control for protecting internet-facing or high value accounts from brute force or password reuse attacks. Changing default credentials is a key control when you are rolling out vendor-provided software or hardware that is known to come with out-of-the-box credentials to get customers started. Securing your cloud identity provider system is a key control to prevent attackers from bypassing other controls, like MFA. Each of these controls address different risks which is why it is important to implement them all to make your authentication methods secure.
- If there’s a system that doesn’t allow you to set up MFA, assess the risk of unauthorised access. If they are accessible over the internet, then they’re at a much higher risk of unauthorised access. You may want to consider alternative systems that do allow MFA instead. If alternative systems aren’t possible, place the system behind another that allows MFA, such as a VPN or MFA-enabled web proxy.
- Some MFA methods are easier to bypass, like codes sent by SMS. Prefer hardware or software tokens over SMS MFA if available. If a notification by SMS is the only method available it is better than not having it at all.