This post breaks down 5 key principles to keep in mind when implementing an authentication system:
Always Enforce Password Strength
- The principle: Weak passwords are an open invitation to attackers. Enforce these practices:
- Length: Longer is better.
- Complexity: Mix upper/lowercase letters, numbers, and symbols.
- Uniqueness: Avoid reusing passwords across different accounts.
- Password Managers: Tools to securely store and generate strong passwords.
- Example: A system might implement a policy requiring all user passwords to be a minimum of 12 characters, and disallow the use of common words or personal information (like name or date of birth).
Use Multi-Factor Authentication
- The Principle: MFA goes beyond just a password. It requires users to supply at least two types of evidence from these categories:
- Something you know (password, PIN)
- Something you have (security token, smartphone)
- Something you are (fingerprint, facial scan)
- Example: Most bank accounts require you to type in a code sent to your phone when you log in from a new device.
Assume Zero Trust
- The Principle: Never assume trust based on location or past logins. Continually verify user identity and device health before granting access.
- Example: An enterprise VPN may require MFA not just at login, but periodically re-authenticate users, and check for device security updates.
Assume High Risk
- The Principle: Not all login attempts are equal. Analyze factors like location, device, time of day to assess their risk level.
- Example: Access from a new country? Trigger additional verification steps.
Always Monitor
- The Principle: Security isn’t static. Monitor for unusual login attempts, potential password leaks from other services, and changes in user behavior patterns.
- Example: Security systems might flag and potentially freeze accounts that show logins from multiple, geographically distant locations in rapid succession.