Authentication (a few notes)
Authentication, or verification of who a user is, is a key element in enforcing access controls. While application servers offer a great deal, and much documentation can be found on the subject, it is crucial to keep the following in mind:
- Re-authenticate the user for high value transactions and access to protected areas (such as changing from user to administrative level access).
- Authenticate the transaction, not the user. Phishers rely (amongst other things) on poorly implemented user authentication schemes.
Passwords are trivially broken and are unsuitable for high value systems. Therefore, the controls should
reflect this. Any password less than 16 characters in length can be brute forced in less than two weeks, so
set your password policy to be reasonable:
- Train your users as to suitable password construction
- Allow your users to write down their passwords as long as they keep them safe (everybody knows how to secure his/her wallet).
- Encourage users to use pass phrases instead of passwords
- Relax password expiry requirements upon the strength of the password chosen. Passwords between 8 and 16 that cannot be easily cracked should have an expiry of no less than 30 days. On the other hand, pass phrases above 16 characters probably do not need a hard expiry limit, but a gentle reminder after (say) 90 days instead.