1. Objective
This policy defines an effective authentication management procedures when conducting company-related business and includes the:
-
issuing and selection of strong authentication methods and credentials;
-
protection of secret authentication credentials;
-
frequency of change in terms of authentication credentials;
-
reporting of any suspected breach or lost authentication credentials;
-
use of authentication methods with third party systems (including cloud technology).
Authentication is a key method of securing our information – choosing weak authentication methods, or failing to keep the authentication credentials secure, places the confidentiality of our data at risk.
2. Scope
The scope of the policy covers all individuals either employed or contracted to work with or for the company, either in-office or remotely.
3. Definitions
- Authentication method
-
Any method by which a user may authenticate themselves in order to gain access to a location, data or service, such as text entry (e.g. passwords, passphrases, PINs), biometrics (e.g. fingerprints), etc.
- Authentication credentials
-
The specific data or information used by a user to authenticate themselves, including but not limited to passwords, passphrases, PINs, and biometric data.
- Multi-Factor Authentication (MFA)
-
An authentication method that requires the user to provide two or more verification factors to gain access, such as something they know (e.g., password), something they have (e.g., a security token or mobile device), and/or something they are (e.g., biometric data).
- Cloud-based system
-
A service or platform hosted over the internet that allows users to access data, applications and services remotely.
- Password manager
-
A software product used for the secure storage of passwords, which must be approved for use, and includes functions for generating strong passwords compliant with this policy.
4. Policy
Authentication method covers any methods by which a user may authenticate themselves in order to gain access to a location, data or service, such as text entry (e.g. passwords, passphrases, PINs), biometrics (e.g. fingerprints), etc. The company ensures that authentication credentials are kept confidential by:
-
storing authentication credentials in a secure manner;
-
changing manufacturer default authentication credentials and disabling guest accounts on all equipment;
-
issuing new users with temporary authentication credentials, which must be changed at first login to a stronger alternative (defined later);
-
authentication credentials issued to new users are done so in a secure manner (e.g. never in clear text via an email);
-
changing all multi-user credentials (e.g. for communal equipment) used by an employee in the event that their employment ends;
-
ensuring that access to user credentials is limited to ICT administrators for the purpose of resetting, revoking or problem resolution – authentication methods may only be reset once the identity of the user has been verified;
-
locking accounts after 5 failed login attempts in order to dissuade brute-forcing attempts;
-
training staff in the use of digital password managers, and the risks of storing passwords in any other form (such as a notebook at their workstation, or Post-It note).
Users must ensure that they do all they can to maintain the confidentiality of their authentication credentials by never:
-
using company authentication credentials for any other account they hold (including personal accounts such as home utilities, email, online shopping services, etc);
-
having a physical copy of their credentials;
-
using a non-approved method for password generation;
-
entering authentication credentials on non-company equipment (for example, home or public access PCs);
-
revealing authentication credentials to anyone, including line managers, unless relaying information on temporary credentials which are changed immediately upon next login. This includes never sharing authentication credentials with co-workers (e.g. whilst on annual leave);
-
discussing authentication credentials in front of others.
4.1. Password Authentication
Many services and policies only allow for password authentication methods, and so they are given a special focus here. Strong passwords MUST be used for authentication. The company defines a strong password as one generated by one of two processes: random string generation by a password manager or using diceware [EFF-DICE].
Where a password is to be stored in a password manager, it MUST be randomly generated by the password manager with the parameters:
-
having a minimum number of 14 characters in length;
-
using longer passwords where permitted by the service;
-
including a mixture of numbers, upper and lower case letters, and special characters.
Where special characters are not possible due to technical restrictions, the minimum length is 20 characters.
For the avoidance of doubt, weak passwords must never be used. Weak, text-based authentication credentials generally have one or more of the following characteristics:
-
credential is the same, or partly the same, as the username;
-
names of family members, friends, or pets are used;
-
personal information about yourself or family members which can be easily found from social networking sites, including date of birth, phone number, street name, etc.;
-
consecutive alphanumeric characters or keys on the keyboard, such as ‘abc123’ or ‘qwerty’;
-
dictionary words including the inclusion of a number or character at the start or end or substituting numbers or punctuation for letters, for example, ‘P@55w0rd’;
-
a known word from any language (which may not be in a dictionary).
For passwords that are intended to be memorised, the MUST be generated using diceware. The above restrictions likely will not be met using this method as the intention is to provide a strong password that is easy to remember, and the strength comes from the underlying dice rolls. Any other method of generating a passphrase MUST NOT be used even if it results in one that bears similarity to a diceware-generated passphrase.
Memorised passphrases generated with diceware SHOULD be used for:
-
end-user device login passphrase;
-
password manager decryption passphrase.
4.2. Multi-Factor Authentication
Wherever the option is offered by a given service or piece of software, multi-factor authentication is to be used (e.g. a fingerprint and a passphrase, or a voice sample, PIN and verification SMS).
Where a hardware token is in use to authenticate to a system without a password, the token itself MUST be secured with a memorised PIN of at least 6 digits.
4.3. Credentials for Cloud-Based Systems and Online Portals
It is to be remembered that the company makes use of cloud-based technology and online portals, which may not enforce strong authentication credentials. It is therefore up to the individual to ensure a good authentication regime is maintained, which is as strong as that used within the organisation. In line with the company’s "Internet Use Policy", users shall:
-
not create an online account for business purposes without authorisation from a director;
-
advise a director when there is no longer a need to have the online account in order to ensure that it is removed.
4.4. Credential Compromise Policy
In the event of a credential compromise, users SHALL take immediate action to secure the account by resetting or invalidating the credentials and report the incident to a director as soon as practical. It is policy that any password compromise event will be shared with CiviCERT members via the MISP platform to allow for shared learning from the incident. Directors will be responsible for determining if a data breach notification is necessary to our clients or to the Information Commissioners Office.