5 Principles of Secure Authentication

This post breaks down 5 key principles to keep in mind when implementing an authentication system:

Always Enforce Password Strength

  • The principle: Weak passwords are an open invitation to attackers. Enforce these practices:
    • Length: Longer is better.
    • Complexity: Mix upper/lowercase letters, numbers, and symbols.
    • Uniqueness: Avoid reusing passwords across different accounts.
    • Password Managers: Tools to securely store and generate strong passwords.
  • Example: A system might implement a policy requiring all user passwords to be a minimum of 12 characters, and disallow the use of common words or personal information (like name or date of birth).

Use Multi-Factor Authentication

  • The Principle: MFA goes beyond just a password. It requires users to supply at least two types of evidence from these categories:
    • Something you know (password, PIN)
    • Something you have (security token, smartphone)
    • Something you are (fingerprint, facial scan)
  • Example: Most bank accounts require you to type in a code sent to your phone when you log in from a new device.

Assume Zero Trust

  • The Principle: Never assume trust based on location or past logins. Continually verify user identity and device health before granting access.
  • Example: An enterprise VPN may require MFA not just at login, but periodically re-authenticate users, and check for device security updates.

Assume High Risk

  • The Principle: Not all login attempts are equal. Analyze factors like location, device, time of day to assess their risk level.
    • Example: Access from a new country? Trigger additional verification steps.

Always Monitor

  • The Principle: Security isn’t static. Monitor for unusual login attempts, potential password leaks from other services, and changes in user behavior patterns.
  • Example: Security systems might flag and potentially freeze accounts that show logins from multiple, geographically distant locations in rapid succession.