On this page
- Quick Reference (60 Seconds)
- What the Standard Actually Requires
- Why Authentication Information Matters
- Password Policy Design
- Password Storage and Hashing
- Password Reset and Recovery
- Multi-Factor Authentication (MFA)
- Passwordless Authentication
- Biometric Authentication
- Certificate-Based Authentication
- Token-Based Authentication
- API Authentication
- Service Account Authentication
- Authentication Monitoring and Analytics
- Tool Comparison
- Implementation Roadmap: 4 Weeks
- Common Audit Failures and Fixes
- Illustrative Scenarios
- Multi-Framework Mapping
- FAQ
- Indian Regulatory Context
- Continuous Improvement
- Additional Illustrative Scenarios: Indian Authentication Incidents
Quick Reference (60 Seconds)
ISO 27001:2022 Annex A 5.17 requires the allocation and management of authentication information to be controlled through a formal process, ensuring that credentials are created, distributed, and stored securely.
| Element | What You Need to Know |
|---|---|
| Standard Reference | ISO/IEC 27001:2022, Annex A, Control 5.17 |
| 27002 Guidance | ISO/IEC 27002:2022, Clause 5.17, Authentication information |
| Objective | Ensure authentication credentials are securely created, distributed, stored, and managed |
| Key Requirement | Credential lifecycle: creation, distribution, storage, rotation, revocation, recovery |
| Who It Applies To | All authentication credentials: passwords, tokens, certificates, biometrics, API keys |
| Audit Focus | Password policy, hashing, MFA, passwordless, credential vault, rotation, monitoring |
| Typical Failures | Weak passwords, no MFA, plaintext storage, no rotation, shared credentials, no vault |
| Singahi's Role | Password policy design, MFA implementation, credential vault, passwordless, monitoring |
The Bottom Line: Authentication information is the keys to your kingdom. If you don't protect how credentials are created, stored, and used, nothing else matters.
What the Standard Actually Requires
The ISO 27001:2022 Text
Annex A 5.17 states:
ISO 27001:2022 Annex A 5.17 asks organizations to control the allocation and management of authentication information through a formal process.
What ISO 27002:2022 Adds
The implementation guidance requires:
- Authentication information (credentials) created securely
- Credentials distributed securely to users
- Users required to sign acknowledgment of receipt
- Users required to change initial/temporary passwords
- Credentials stored securely (hashed, encrypted, vaulted)
- Credentials not shared, not written down, not stored in plaintext
- Regular credential rotation
- Compromised credentials revoked immediately
- Credential recovery process secure and audited
- MFA for sensitive access
- Password policy enforced
- Passwordless authentication considered
The Six Mandatory Components
| Component | Evidence Required | Common Failure |
|---|---|---|
| 1. Password policy | Documented password policy | No policy or weak policy |
| 2. Secure storage | Hashed/encrypted credentials | Plaintext or weak hashing |
| 3. Secure distribution | Secure credential issuance | Email in plaintext, no acknowledgment |
| 4. MFA | MFA for privileged/sensitive | No MFA |
| 5. Rotation | Credential rotation records | No rotation or long rotation periods |
| 6. Monitoring | Authentication monitoring | No monitoring of authentication events |
Why Authentication Information Matters
Credential Compromise Statistics
| Statistic | Source | Impact |
|---|---|---|
| 80% of breaches involve compromised credentials | Verizon DBIR | Credentials are the primary attack vector |
| 49% of users reuse passwords across work and personal | LastPass | Password reuse = breach risk |
| 65% of users reuse passwords across work accounts | LastPass | Internal password reuse |
| 24 billion credentials exposed in breaches (HaveIBeenPwned) | HIBP | Massive credential exposure |
| ** credential stuffing** is the #1 attack | Akamai | Automated credential reuse attacks |
| 99.9% of attacks prevented by MFA | Microsoft | MFA is the single best control |
| 30% of help desk tickets are password-related | Gartner | Password management overhead |
| 50% of users don't change password after breach | Post-breach password inertia | |
| 23% of users use password123 or similar | NCSC | Weak password prevalence |
| 1 second to crack password123 | Hive Systems | Weak password crackability |
| 34,000 years to crack 16-character random password | Hive Systems | Strong password resistance |
| 60% of organizations don't check for compromised passwords | Ponemon | No compromised password detection |
| 40% of organizations have no password policy | Ponemon | No password governance |
| 20% of employees share passwords with colleagues | LastPass | Password sharing risk |
Password Policy Design
Password Policy Requirements by Role
| Role | Minimum Length | Complexity | Expiration | History | MFA | Method |
|---|---|---|---|---|---|---|
| Standard user | 12 characters | 3 of 4 | 180 days (or never if MFA) | 12 | TOTP/Push | Passphrase preferred |
| Manager | 12 characters | 3 of 4 | 180 days (or never if MFA) | 12 | TOTP/Push | Passphrase preferred |
| Developer | 12 characters | 3 of 4 | 180 days (or never if MFA) | 12 | TOTP/Push | Passphrase preferred |
| System Admin | 16 characters | 4 of 4 | 90 days (or never if MFA + hardware key) | 24 | Hardware key + TOTP | Passphrase + hardware key |
| Database Admin | 16 characters | 4 of 4 | 90 days (or never if MFA + hardware key) | 24 | Hardware key + TOTP | Passphrase + hardware key |
| Security Admin | 16 characters | 4 of 4 | 90 days (or never if MFA + hardware key) | 24 | Hardware key + TOTP | Passphrase + hardware key |
| CISO | 16 characters | 4 of 4 | 90 days (or never if MFA + hardware key) | 24 | Hardware key + TOTP | Passphrase + hardware key |
| CEO/Executive | 16 characters | 4 of 4 | 90 days (or never if MFA + hardware key) | 24 | Hardware key + TOTP | Passphrase + hardware key |
| Finance Admin | 16 characters | 4 of 4 | 90 days (or never if MFA + hardware key) | 24 | Hardware key + TOTP | Passphrase + hardware key |
| HR Admin | 16 characters | 4 of 4 | 90 days (or never if MFA + hardware key) | 24 | Hardware key + TOTP | Passphrase + hardware key |
| Service account | 32 characters | Random | 90 days (or never if vault + rotation) | N/A | Certificate/Key | Random + vault |
| Third-party user | 12 characters | 3 of 4 | 90 days | 12 | TOTP/Push | Passphrase |
| Customer | 8 characters | 3 of 4 | Never (if MFA) | 5 | TOTP/SMS (optional) | User choice |
| Break-glass | 32 characters | Random | Per use | N/A | Hardware key + multiple | Random + vault |
Password Policy Best Practices
| Practice | Implementation | Rationale | Tool |
|---|---|---|---|
| Passphrase | 4+ random words, 16+ characters | Easier to remember, harder to crack | User education, password generator |
| No expiration | No forced expiration if MFA enabled | Reduces password reuse, reduces help desk | Azure AD, Okta |
| Compromised check | Check against HaveIBeenPwned on creation and login | Prevents use of breached passwords | Azure AD, Okta, HIBP API |
| No common passwords | Block top 10,000 common passwords | Prevents weak passwords | Azure AD, Okta, custom list |
| No username in password | Block password containing username | Prevents guessable passwords | Azure AD, Okta |
| No organization name | Block password containing company name | Prevents guessable passwords | Azure AD, Okta, custom list |
| No keyboard walks | Block qwerty, 123456, abcdef | Prevents pattern passwords | Azure AD, Okta, custom list |
| Password manager | Require or strongly recommend password manager | Strong unique passwords, no reuse | 1Password, LastPass, Bitwarden |
| Self-service password reset (SSPR) | Enable SSPR with MFA verification | Reduce help desk, user empowerment | Azure AD, Okta |
| Password visibility | Allow users to see password while typing | Reduce typos, improve user experience | Modern UI |
| Password strength meter | Show password strength during creation | Guide users to stronger passwords | Modern UI, zxcvbn |
| No password hints | Disable password hints | Prevent social engineering | Group Policy, Azure AD |
| No security questions | Disable or limit security questions | Prevent social engineering | Azure AD, Okta |
| Password generator | Provide strong password generator | Encourage strong passwords | Password manager, browser |
| Password education | Train users on passphrase creation | User awareness, behavioral change | Training, awareness |
| Admin password policy | Stronger policy for admin accounts | Higher security for privileged accounts | Azure AD, GPO, PAM |
| Service account policy | Random 32+ char, vault, rotation | Non-human, automated, secure | PAM, Vault, Secrets Manager |
| API key policy | Random, vault, rotation, scoped | Secure API authentication | API Gateway, Vault |
| Certificate policy | Validity period, rotation, revocation | Secure certificate lifecycle | PKI, CA |
| Token policy | Short-lived, refresh token rotation, revocation | Secure session management | OAuth server, IAM |
Password Storage and Hashing
Password Hashing Algorithms
| Algorithm | Security Level | Speed | Salt | Memory Hard | Recommended |
|---|---|---|---|---|---|
| bcrypt | High | Slow | Yes | No | Yes (overhead factor 12+) |
| scrypt | High | Slow | Yes | Yes | Yes (for memory-hard) |
| Argon2id | Very High | Slow | Yes | Yes | Yes (OWASP recommended) |
| PBKDF2 | Medium-High | Slow (with iterations) | Yes | No | Acceptable (600k+ iterations) |
| SHA-256 | Low | Fast | Optional | No | No (not for password hashing) |
| SHA-512 | Low | Fast | Optional | No | No (not for password hashing) |
| MD5 | Very Low | Very Fast | Optional | No | No (deprecated, insecure) |
| SHA-1 | Very Low | Fast | Optional | No | No (deprecated, insecure) |
| LM hash | None | Instant | No | No | No (Windows legacy, insecure) |
| NTLM hash | Very Low | Fast | No | No | No (Windows, insecure) |
| AES encryption | Not applicable | N/A | N/A | N/A | No (encryption ≠ hashing) |
| Base64 | None | N/A | N/A | N/A | No (encoding ≠ security) |
| Plaintext | None | N/A | N/A | N/A | No (never store plaintext) |
Hashing Implementation
| Parameter | bcrypt | scrypt | Argon2id | PBKDF2 |
|---|---|---|---|---|
| overhead/Iterations | overhead factor 12+ (2^12 = 4096 iterations) | N=2^14, r=8, p=1 | m=65536, t=3, p=4 | 600,000+ iterations |
| Salt | 16 bytes random | 16 bytes random | 16 bytes random | 16 bytes random |
| Pepper | Optional (server-side secret) | Optional | Optional | Optional |
| Algorithm | Eksblowfish | Block mix | Memory-hard | HMAC-SHA256 |
| Library | bcrypt (Python), bcrypt (Node), BCrypt (Java), BCrypt.Net | scrypt (Python), scrypt (Node), Scrypt (Java) | Argon2 (Python), argon2 (Node), Argon2 (Java) | PBKDF2HMAC (Python), pbkdf2 (Node), PBKDF2 (Java) |
| Output | 60 characters (including salt) | Variable | Variable | Variable |
| Migration | If using old algorithm, rehash on next login | Same | Same | Same |
Credential Storage Best Practices
| Credential Type | Storage Method | Encryption | Key Management | Rotation | Evidence |
|---|---|---|---|---|---|
| User passwords | Hashed (Argon2id/bcrypt) | N/A (hashing) | N/A | User-initiated | Hash database |
| Admin passwords | Hashed + PAM vault | Vault encryption | HSM/KMS | 90 days or per policy | Vault logs |
| Service account passwords | Vault (HashiCorp, CyberArk) | Vault encryption | HSM/KMS | 90 days or automated | Vault logs |
| API keys | Vault or secrets manager | Vault encryption | HSM/KMS | 90 days or automated | Vault logs |
| Database passwords | Vault or secrets manager | Vault encryption | HSM/KMS | 90 days or automated | Vault logs |
| Application secrets | Vault or secrets manager | Vault encryption | HSM/KMS | 90 days or automated | Vault logs |
| TLS certificates | Certificate store (PKI) | Encrypted store | HSM/KMS | Per validity period | Certificate logs |
| SSH keys | SSH agent, vault | Encrypted at rest | HSM/KMS | 90 days or automated | Key logs |
| OAuth tokens | Token store, encrypted | Encrypted at rest | HSM/KMS | Short-lived, refresh rotated | Token logs |
| Biometric templates | Encrypted storage, not raw | AES-256, separate from other data | HSM/KMS | N/A (template doesn't change) | Storage config |
| MFA seeds | Encrypted storage, HSM | HSM encryption | HSM | N/A (seed is static) | HSM config |
| Recovery codes | Encrypted, printed, distributed | AES-256 | HSM/KMS | Single use | Distribution record |
| Backup codes | Encrypted, limited distribution | AES-256 | HSM/KMS | Single use | Distribution record |
| Shared secrets | Vault, encrypted | Vault encryption | HSM/KMS | 90 days or per policy | Vault logs |
| Encryption keys | HSM, KMS, key vault | HSM encryption | HSM | Per key rotation policy | Key rotation logs |
Password Reset and Recovery
Secure Password Reset Process
| Step | Action | Verification | Security | Evidence |
|---|---|---|---|---|
| 1 | User initiates password reset | Click "Forgot Password" | Rate limiting, CAPTCHA | Request log |
| 2 | Verify identity | MFA challenge (TOTP, push, email) | MFA required, no security questions | MFA log |
| 3 | Send reset link/code | Email or SMS with time-limited link | Expires in 15 minutes, single use | Delivery log |
| 4 | User clicks link/enters code | Link opens reset page or code accepted | HTTPS, no HTTP, valid domain | Access log |
| 5 | User creates new password | Password strength enforced, compromised check | Policy enforcement, HIBP check | Creation log |
| 6 | Password updated | Old password invalidated immediately | Immediate invalidation | Update log |
| 7 | Notify user | Email notification of password change | Alert if not initiated by user | Notification log |
| 8 | Audit | Log all reset actions | Immutable audit trail | Audit log |
| 9 | Session invalidation | All existing sessions invalidated | Force re-login | Session log |
| 10 | Optional: Manager notification | Notify manager of admin password reset | Enhanced monitoring for admin | Notification log |
Password Reset Security Requirements
| Requirement | Implementation | Best Practice | Tool |
|---|---|---|---|
| MFA required | Require MFA for password reset | TOTP, push, or hardware key | Azure AD, Okta |
| No security questions | Disable security questions | Security questions are insecure | Azure AD, Okta |
| Rate limiting | Limit reset attempts per user/IP | 3 attempts per hour, 5 per day | Azure AD, Okta, custom |
| Time-limited link | Reset link expires quickly | 15 minutes maximum | Azure AD, Okta, custom |
| Single-use link | Link can only be used once | One-time use, invalidated after use | Azure AD, Okta, custom |
| HTTPS only | All reset communication over HTTPS | TLS 1.3, valid certificate | Web server, CDN |
| No password in email | Never send password in email | Send link only, not password | Email gateway |
| Notification | Notify user of password change | Email to user, SMS optional | Email gateway, SMS gateway |
| Session invalidation | Invalidate all sessions on password change | Force re-login everywhere | IAM, session management |
| Audit trail | Log all password reset actions | Immutable log, SIEM integration | SIEM, IAM |
| Compromised check | Check new password against HIBP | Block breached passwords | HIBP API, Azure AD, Okta |
| Admin approval | Manager approval for admin password reset | Manager approval, security notification | ServiceNow, IAM |
| Break-glass | Break-glass for admin lockout | Pre-approved emergency accounts, HSM | PAM, HSM |
| Self-service | Enable self-service for all users | Reduce help desk, empower users | Azure AD SSPR, Okta |
| Help desk verification | If help desk reset, verify identity strongly | MFA + manager approval + employee ID | Help desk procedure |
Multi-Factor Authentication (MFA)
MFA Factor Types
| Factor | Type | Examples | Security Level | overhead | User Experience | Best For |
|---|---|---|---|---|---|---|
| Knowledge | Something you know | Password, PIN, security question | Low | Free | Easy | Base factor |
| Possession | Something you have | Phone, hardware key, smart card, certificate | Medium-High | Low-High | Easy-Hard | Second factor |
| Inherence | Something you are | Fingerprint, face, iris, voice, behavior | High | Medium | Easy | Second factor |
| Location | Somewhere you are | GPS, IP address, network location | Medium | Low | Transparent | Contextual factor |
| Time | Something about when | Time-based OTP, time windows | Low | Free | Transparent | Contextual factor |
| Behavior | Something you do | Keystroke dynamics, mouse patterns, device handling | Medium | Medium | Transparent | Risk factor |
MFA Implementation by Risk Level
| Risk Level | Required Factors | Example | Implementation |
|---|---|---|---|
| Low | Password + SMS/TOTP (optional) | Public website, newsletter | Optional MFA |
| Medium | Password + TOTP/Push | Standard employee, internal apps | Enforced MFA |
| High | Password + Hardware key + TOTP | Admin, finance, sensitive data | Enforced MFA + hardware key |
| Very High | Password + Hardware key + Biometric + TOTP | CISO, break-glass, critical infrastructure | Maximum factors, no bypass |
| API/System | Certificate + Key + IP whitelist | Service-to-service, API | mTLS + API key + IP |
| Customer | Password + TOTP (optional) | Customer portal, B2C | Optional MFA, recommended |
| Third-party | Password + TOTP/Push | Vendor, contractor, consultant | Enforced MFA |
| Remote | Password + Push + Device compliance | Remote worker, VPN | MFA + device compliance |
| Privileged | Password + Hardware key + TOTP | Admin, DBA, security | Enforced, no bypass |
| Emergency | Hardware key + Biometric + TOTP + approval | Break-glass, emergency | Maximum factors, pre-approved |
Passwordless Authentication
Passwordless Methods
| Method | Technology | Security Level | User Experience | overhead | Best For | Implementation |
|---|---|---|---|---|---|---|
| FIDO2/WebAuthn | Public key cryptography, hardware-backed | Very High | Easy (touch/scan) | Medium-High | All users, especially admin | YubiKey, Windows Hello, Apple Touch ID, Android |
| Windows Hello | Biometric + PIN + TPM | Very High | Easy (face/fingerprint/PIN) | Included (Windows 10/11) | Windows users | Windows 10/11, Azure AD |
| Apple Touch ID/Face ID | Biometric + Secure Enclave | Very High | Easy (touch/scan) | Included (Apple devices) | Apple users | macOS, iOS, Safari |
| Android Biometric | Biometric + Keystore | Very High | Easy (fingerprint/face) | Included (Android) | Android users | Android, Chrome |
| Passkeys | FIDO2, synced across devices, cloud-backed | Very High | Easy (biometric/PIN) | Free | All users, modern replacement for passwords | Google, Apple, Microsoft, 1Password, Dashlane |
| Certificate-based | X.509, PKI, smart card | High | Moderate (insert card) | Medium | Enterprise, government, high-security | Smart card, PKI, YubiKey PIV |
| Magic link | Email link, time-limited | Medium | Easy (click link) | Low | Low-risk, temporary, customer | Email gateway, custom |
| Push notification | Mobile app push, biometric confirmation | High | Easy (tap approve) | Low | Standard MFA, mobile-first | Duo, Microsoft Authenticator, Okta |
| Phone authentication | Phone call + PIN | Medium | Moderate (answer call) | Low | Backup, accessibility | Phone gateway |
| QR code | QR scan + mobile app | Medium | Easy (scan code) | Low | Mobile login, temporary | QR generator, mobile app |
| Email OTP | Email one-time code | Medium | Easy (check email) | Free | Low-risk, backup | Email gateway |
| SMS OTP | SMS one-time code | Low-Medium | Easy (check SMS) | Low | Backup, low-risk, customer | SMS gateway |
| Hardware OTP | Hardware token generates OTP | High | Moderate (read token) | Medium | High-security, air-gapped | RSA SecurID, YubiKey OTP |
| Software OTP | TOTP app generates code | Medium-High | Easy (open app) | Free | Standard MFA, widely supported | Google Authenticator, Microsoft Authenticator, Authy |
Passwordless Implementation Roadmap
| Step | Action | Owner | Tool | Timeline |
|---|---|---|---|---|
| 1 | Assess passwordless readiness | Security | IdP assessment | 1 week |
| 2 | Pilot with IT team | IT | FIDO2 keys, Windows Hello | 1-2 weeks |
| 3 | Deploy FIDO2 keys for admin | Security | YubiKey, Titan | 2-4 weeks |
| 4 | Enable Windows Hello for Windows users | IT | Windows Hello, Azure AD | 2-4 weeks |
| 5 | Enable passkeys for mobile users | IT | Apple, Google, Microsoft passkeys | 2-4 weeks |
| 6 | Enable passwordless for standard users | IT | FIDO2, passkeys, push | 4-8 weeks |
| 7 | Train users on passwordless | HR + IT | Training, documentation | 1-2 weeks |
| 8 | Monitor and support | IT | Help desk, analytics | Ongoing |
| 9 | Retire passwords for passwordless users | Security | IdP policy | 1-2 weeks |
| 10 | Full passwordless for all users | Security | IdP policy, conditional access | 8-12 weeks |
Biometric Authentication
Biometric Methods
| Biometric | Accuracy | Spoof Resistance | overhead | Best For | Privacy Risk | Implementation |
|---|---|---|---|---|---|---|
| Fingerprint | High | High (with liveness) | Low | Mobile, laptop, access control | Medium | Touch ID, Windows Hello, Android |
| Facial recognition | High | High (with liveness) | Medium | Mobile, laptop, access control, surveillance | High | Face ID, Windows Hello, Amazon Rekognition |
| Iris recognition | Very High | Very High | High | High-security, border control, data center | High | Iris scanners, Samsung, custom |
| Voice recognition | Medium | Low | Low | Call center, phone authentication | Medium | Voice biometrics, Nuance, Pindrop |
| Behavioral | Medium | Medium | Medium | Continuous authentication, risk scoring | Low | Typing cadence, mouse patterns, device handling |
| Palm vein | Very High | Very High | High | High-security, healthcare, financial | Low | Palm vein scanners, Fujitsu |
| Retina scan | Very High | Very High | Very High | Military, high-security | High | Retina scanners, military |
| Hand geometry | Medium | Medium | Medium | Physical access, time attendance | Low | Hand geometry scanners |
| Signature dynamics | Medium | Low | Low | Document signing, legal | Low | Signature pads, tablets |
| Gait recognition | Medium | Medium | Medium | Surveillance, continuous | High | Camera-based, mobile sensors |
| Heartbeat | Medium | High | Medium | Wearables, continuous | Low | Wearable devices, Nymi |
| DNA | Very High | N/A | Very High | Forensic, legal, extreme security | Very High | Lab-based, not practical for daily use |
Biometric Storage and Privacy
| Requirement | Implementation | Best Practice | Regulation | Evidence |
|---|---|---|---|---|
| Template storage | Store template, not raw biometric | Template (mathematical representation), not image | DPDP Act, GDPR | Storage config |
| Encryption | Encrypt templates at rest and in transit | AES-256, TLS 1.3 | DPDP Act, GDPR | Encryption config |
| Separation | Store biometrics separately from other data | Separate database, separate encryption key | DPDP Act, GDPR | Architecture |
| No centralization | Prefer on-device biometric over central | On-device (Face ID, Touch ID) vs. server | DPDP Act, GDPR | Architecture |
| Consent | Explicit consent for biometric collection | Opt-in, informed consent, purpose limitation | DPDP Act, GDPR | Consent records |
| Right to deletion | Allow deletion of biometric data | Template deletion, revocation | DPDP Act, GDPR (Article 17) | Deletion records |
| No sharing | Do not share biometric data with third parties | Strict no-sharing policy | DPDP Act, GDPR | Policy |
| Audit | Audit biometric access and use | Access logs, usage logs, audit trail | DPDP Act, GDPR | Audit logs |
| Accuracy | Ensure biometric accuracy and fairness | Regular testing, bias testing, accuracy metrics | DPDP Act, GDPR | Accuracy reports |
| Fallback | Provide non-biometric fallback | PIN, password, token as fallback | DPDP Act, GDPR | Fallback policy |
| Spoof detection | Implement liveness detection | Anti-spoofing, liveness detection, challenge-response | Best practice | Liveness config |
| DPIA | Conduct Data Protection Impact Assessment for biometric | DPIA for biometric processing | DPDP Act, GDPR (Article 35) | DPIA document |
| Cross-border | Restrict cross-border biometric transfer | Store locally, transfer restrictions | DPDP Act, GDPR | Transfer policy |
| Children | Special protection for children's biometric | Parental consent, enhanced protection | DPDP Act, GDPR, COPPA | Consent records |
| Transparency | Clear privacy notice for biometric | Explain collection, use, storage, retention, rights | DPDP Act, GDPR | Privacy notice |
Certificate-Based Authentication
Certificate Types
| Certificate Type | Use Case | Key Size | Validity | Storage | Best Practice |
|---|---|---|---|---|---|
| User certificate | User authentication, VPN, email signing | RSA 2048+ or ECC 256+ | 1-3 years | Smart card, USB token, TPM, HSM | TPM/smart card preferred |
| Machine certificate | Device authentication, network access, WiFi | RSA 2048+ or ECC 256+ | 1-3 years | TPM, device keystore, certificate store | TPM preferred |
| Service certificate | Service-to-service authentication, API | RSA 2048+ or ECC 256+ | 1-2 years | Vault, HSM, secrets manager | Vault + HSM |
| Admin certificate | Admin authentication, privileged access | RSA 4096 or ECC 256+ | 1 year | Smart card, HSM, hardware token | Hardware token + HSM |
| Email certificate | S/MIME email signing and encryption | RSA 2048+ | 1-3 years | Email client, smart card, OS store | Smart card preferred |
| Code signing certificate | Software signing, integrity | RSA 2048+ or ECC 256+ | 1-3 years | HSM, hardware token, secure build pipeline | HSM mandatory |
| SSL/TLS certificate | Website, API encryption | RSA 2048+ or ECC 256+ | 1 year | Web server, load balancer, CDN | Let's Encrypt, auto-renewal |
| Client certificate | mTLS, API authentication | RSA 2048+ or ECC 256+ | 1-3 years | Client device, application store | Device store |
| Root CA certificate | Certificate chain trust | RSA 4096+ | 10-20 years | HSM, offline, air-gapped | HSM, offline, strict access |
| Intermediate CA certificate | Certificate issuance | RSA 4096+ | 5-10 years | HSM, online, strict access | HSM, strict access |
| IoT device certificate | IoT device authentication | ECC 256+ (preferred for IoT) | 1-3 years | Device secure storage, TPM | Secure provisioning |
| VPN certificate | VPN authentication | RSA 2048+ or ECC 256+ | 1-3 years | VPN client, device store, smart card | Smart card + MFA |
| Document signing certificate | PDF, document signing | RSA 2048+ | 1-3 years | Smart card, HSM, secure signing device | HSM for high-value |
| Timestamp certificate | Digital timestamping | RSA 2048+ | 1-3 years | Timestamp server, HSM | HSM |
| OCSP certificate | Certificate status verification | RSA 2048+ | 1-3 years | OCSP responder, HSM | HSM |
Certificate Lifecycle Management
| Stage | Action | Owner | Tool | Timeline | Evidence |
|---|---|---|---|---|---|
| Request | Submit certificate request (CSR) | User/IT | PKI, CA | 1 day | CSR record |
| Verify | Verify identity and authorization | CA admin | PKI, CA | 1-3 days | Verification record |
| Issue | Issue certificate | CA | PKI, CA | 1 day | Certificate record |
| Distribute | Securely distribute certificate | IT | Secure delivery, smart card | 1 day | Distribution record |
| Install | Install certificate on device | User/IT | OS, application, device | 1 day | Installation record |
| Use | Use certificate for authentication | User | Application, OS | Ongoing | Usage logs |
| Monitor | Monitor certificate validity and usage | Security | PKI, SIEM, monitoring | Ongoing | Monitoring logs |
| Renew | Renew before expiry | IT/Auto | PKI, auto-renewal | 30 days before expiry | Renewal record |
| Revoke | Revoke if compromised or no longer needed | Security/CA | PKI, CRL, OCSP | Immediate | Revocation record |
| Archive | Archive certificate for audit/legal | IT | Archive, encrypted | Post-expiry | Archive record |
| Audit | Audit certificate lifecycle | Security | PKI, audit tool | Annual | Audit record |
Token-Based Authentication
Token Types
| Token Type | Format | Validity | Use Case | Security | Implementation |
|---|---|---|---|---|---|
| JWT (JSON Web Token) | JSON, signed (JWS) or encrypted (JWE) | Short (15 min - 1 hour) | API auth, SSO, stateless sessions | Medium-High (if signed + encrypted) | OAuth 2.0, OIDC, custom |
| Refresh token | Opaque or JWT | Long (7-90 days) | Obtain new access token | High (must be stored securely, rotated) | OAuth 2.0, OIDC |
| Session token | Cookie, JWT, opaque | Session duration | Web session | Medium (HTTPS, HttpOnly, Secure, SameSite) | Web framework, session manager |
| API key | Random string, UUID | Long (90 days - 1 year) | API authentication, integration | Medium (if rotated, scoped, monitored) | API gateway, IAM |
| OAuth access token | JWT or opaque | Short (15 min - 1 hour) | Delegated access, API auth | Medium-High (scopes, short-lived) | OAuth 2.0 server |
| SAML assertion | XML, signed | Short (minutes) | Enterprise SSO, federation | High (XML signature, encrypted) | SAML 2.0 |
| Kerberos ticket | Binary, encrypted | Short (hours) | Windows network auth | High (Kerberos protocol, mutual auth) | Kerberos, AD |
| NTLM token | Binary, hashed | Session | Windows legacy auth | Low (deprecated, insecure) | Windows legacy |
| Basic auth token | Base64(username:password) | Per request | Legacy API auth, simple systems | Very Low (plaintext, no encryption) | HTTP Basic |
| Digest auth token | MD5 hash challenge-response | Per request | Legacy auth, slightly better than basic | Low (MD5, susceptible) | HTTP Digest |
| Bearer token | Any token type (JWT, opaque) | Varies | OAuth 2.0, API auth | Medium-High (must be protected in transit) | OAuth 2.0, API |
| MAC token | HMAC-signed request | Per request | OAuth 1.0a, legacy | Medium (HMAC, no TLS required) | OAuth 1.0a |
| PKCE token | Code verifier + challenge | Short | OAuth 2.0 public clients (mobile, SPA) | High (prevents authorization code interception) | OAuth 2.0 + PKCE |
| Device code | Short code + polling | Short (15 min) | Device login (TV, IoT) | Medium (user completes on other device) | OAuth 2.0 Device Code |
| Push token | FCM/APNs token | Long (until revoked) | Mobile push notification | Medium (must be protected, rotated) | FCM, APNs |
| WebSocket token | JWT or opaque | Session | WebSocket authentication | Medium-High (same as API token) | WebSocket server |
| GraphQL token | JWT or opaque | Session | GraphQL API authentication | Medium-High (same as API token) | GraphQL server |
| gRPC token | JWT or opaque | Per request | gRPC API authentication | Medium-High (TLS + token) | gRPC server |
| mTLS certificate | X.509 certificate | 1-3 years | Service-to-service, API, device | High (mutual TLS, certificate-based) | PKI, API gateway |
API Authentication
API Authentication Methods
| Method | Security Level | Best For | Implementation | Tool |
|---|---|---|---|---|
| OAuth 2.0 + OIDC | High | Modern APIs, mobile, web, third-party | Authorization server, JWT, scopes | Auth0, Okta, Azure AD, Keycloak |
| API Key | Medium | Internal APIs, simple integrations, low-risk | API gateway, key management | AWS API Gateway, Kong, Azure APIM |
| mTLS | High | Service-to-service, IoT, high-security | Certificate-based, mutual TLS | Istio, Nginx, API gateway |
| JWT | Medium-High | Stateless APIs, microservices, SSO | JWT signing, validation, expiration | Auth0, Okta, custom JWT library |
| HMAC | Medium | Legacy APIs, AWS-style authentication | HMAC-SHA256 signature, timestamp | AWS Signature, custom |
| Basic Auth | Low | Internal, legacy, low-risk, development | Base64 encoding, HTTPS only | HTTP Basic, nginx |
| Digest Auth | Low | Legacy, slightly better than basic | Challenge-response, MD5 | HTTP Digest |
| Bearer Token | Medium-High | OAuth 2.0, API auth, standard | Bearer token in Authorization header | OAuth 2.0, JWT |
| Cookie/Session | Medium | Web APIs, same-origin | Session cookie, CSRF protection, HttpOnly | Web framework, session manager |
| SAML | High | Enterprise APIs, federation | SAML assertion, XML signature | SAML 2.0, Shibboleth |
| Kerberos/SPNEGO | High | Internal Windows APIs | Kerberos ticket, SPNEGO | Kerberos, AD, Windows |
| LDAP/AD | Medium | Internal APIs, directory-based | LDAP bind, AD authentication | LDAP, AD, Spring Security |
| API Gateway Auth | Medium-High | All APIs behind gateway | Gateway handles auth, forwards claims | Kong, AWS API Gateway, Azure APIM |
| Zero Trust | High | Modern, cloud-native, microservices | Every request verified, no implicit trust | Istio, Zscaler, BeyondCorp |
| Biometric | High | Mobile APIs, high-security | Biometric + device binding + token | FIDO2, mobile SDK |
| Hardware token | High | Financial, high-security, legacy | RSA SecurID, YubiKey OTP | RSA, YubiKey |
| IP Whitelist | Low | Internal, restricted, legacy | IP-based access control | Firewall, API gateway |
| Geo-restriction | Low | Location-based restriction | Geo-blocking, geo-allowing | API gateway, CDN |
| Rate limiting + auth | Medium-High | All public APIs | Rate limiting + authentication + authorization | API gateway, WAF |
Service Account Authentication
Service Account Authentication Best Practices
| Practice | Implementation | Tool | Risk Mitigation |
|---|---|---|---|
| No interactive login | Service accounts cannot log in interactively | IAM, OS policy | Prevent human misuse |
| Vault storage | Credentials stored in vault, not hardcoded | HashiCorp Vault, AWS Secrets Manager, Azure Key Vault | No credential leakage |
| Runtime injection | Credentials injected at runtime, not in config | Vault agent, Kubernetes secrets, CI/CD | No credential in code/config |
| Rotation | Automated rotation of credentials | Vault, PAM, cloud secrets manager | Limit exposure window |
| Short-lived tokens | Use short-lived tokens where possible | OAuth 2.0, AWS STS, Azure managed identities | Limited exposure |
| Managed identities | Use cloud-managed identities instead of keys | Azure Managed Identities, AWS IAM roles, GCP service accounts | No credential management |
| Least privilege | Minimal permissions for service account | IAM, RBAC, ABAC | Limit blast radius |
| Monitoring | Monitor all service account activity | SIEM, DAM, cloud monitoring | Detect anomalies |
| Naming convention | Clear naming indicating purpose and scope | Naming policy (svc-app-env-purpose) | Accountability |
| Documentation | Document owner, purpose, systems, permissions | CMDB, service registry | Ownership and accountability |
| No email | Service accounts have no email | Exchange, Google Workspace | Prevent phishing |
| No shared secrets | Each service account has unique credentials | IAM, vault | Accountability |
| Certificate auth | Use certificates instead of passwords where possible | PKI, mTLS | Stronger authentication |
| API key governance | Scoped API keys, rotation, monitoring | API gateway, vault | Secure API access |
| Workload identity | Kubernetes workload identity, pod identity | Kubernetes, cloud IAM | Pod-level identity |
| SPIFFE/SPIRE | Universal workload identity framework | SPIFFE, SPIRE | Cross-platform workload identity |
| Service mesh | mTLS between services, identity-based access | Istio, Linkerd, Consul | Service-to-service security |
| No long-lived credentials | Avoid long-lived keys and passwords | STS, managed identities, short-lived tokens | Reduce exposure |
| Credential scanning | Scan code and config for hardcoded credentials | GitLeaks, TruffleHog, GitHub secret scanning | Prevent credential leakage |
| Break-glass service accounts | Pre-approved emergency service accounts | PAM, vault, enhanced logging | Emergency access with control |
Authentication Monitoring and Analytics
Authentication Monitoring Requirements
| Event | What to Monitor | Alert Trigger | Response | Tool |
|---|---|---|---|---|
| Failed login | Count, source IP, username, time | >5 failures in 5 minutes | Lock account, alert, investigate | SIEM, IAM |
| Successful login | User, time, location, device, MFA status | From new location/device | Alert, review | SIEM, IAM |
| MFA failure | User, method, failure reason | Repeated MFA failures | Alert, investigate, possible compromise | SIEM, IAM |
| Password change | User, time, source, method | Change from unusual location | Alert, verify with user | SIEM, IAM |
| Password reset | User, time, method, success | Unusual reset pattern | Alert, investigate | SIEM, IAM |
| Account lockout | User, time, reason, source | Multiple lockouts | Alert, investigate, brute force check | SIEM, IAM |
| Account unlock | User, time, admin, reason | Unusual unlock pattern | Alert, verify | SIEM, IAM |
| New device | User, device, time, location | First-time device | Alert, require MFA, notify user | SIEM, IAM |
| New location | User, location, time | Impossible travel, new country | Alert, block, require MFA | SIEM, IAM |
| Off-hours login | User, time, location | Login outside business hours | Alert, require MFA, notify manager | SIEM, IAM |
| Privileged login | Admin, time, location, method | Any admin login | Log + alert + session recording | SIEM, PAM |
| Break-glass use | Account, time, reason, admin | Any break-glass use | Immediate alert, session recording, post-review | SIEM, PAM |
| Service account login | Account, time, source, method | Interactive login | Alert, block, investigate | SIEM, IAM |
| Certificate use | Certificate, time, source, result | Expired certificate, revoked certificate | Alert, block, renew | SIEM, PKI |
| Token use | Token, time, source, result | Expired token, revoked token, unusual use | Alert, block, investigate | SIEM, IAM |
| API key use | Key, time, source, endpoint, result | Unusual endpoint, rate limit hit, revoked key | Alert, block, rotate | SIEM, API gateway |
| Impersonation | Impersonator, target, time, reason | Unauthorized impersonation | Alert, block, investigate | SIEM, IAM |
| Credential stuffing | Multiple failed logins, different users, same IP | >10 failed logins from same IP | Block IP, alert, investigate | SIEM, WAF |
| Password spray | Multiple failed logins, same password, different users | Pattern detected | Block IP, alert, investigate | SIEM, WAF |
| Brute force | Multiple failed logins, same user, different passwords | >5 failures in 5 minutes | Lock account, alert, investigate | SIEM, IAM |
| Session hijacking | Session from new location, unusual activity | Session anomaly | Block session, alert, force re-auth | SIEM, IAM |
| Account takeover | Impossible travel, password change + MFA disable | Multiple anomalies | Block account, alert, IR | SIEM, UEBA |
| Insider threat | Unusual data access, privilege escalation, bulk export | Behavioral anomaly | Alert, investigate, DLP | SIEM, UEBA, DLP |
| Third-party risk | Third-party user unusual activity | Anomaly for third-party | Alert, review, restrict access | SIEM, CASB, UEBA |
| Compromised credential | Credential found in breach database | HIBP match | Force password change, alert, MFA | HIBP, IAM |
| Authentication bypass | Attempt to bypass MFA, password check | Bypass attempt detected | Block, alert, investigate | SIEM, WAF |
| Man-in-the-middle | Certificate anomaly, TLS downgrade | MITM indicators | Alert, block, investigate | SIEM, NDR |
| Replay attack | Reused token, replayed request | Replay detected | Block, alert, investigate | SIEM, API gateway |
SIEM Rules for Authentication
## Splunk: Detect impossible travel
index=authentication
| eval time_diff=abs(now()-_time)
| stats values(src_ip) as src_ips, values(src_geo) as locations, min(_time) as first_login, max(_time) as last_login by user
| eval travel_time=last_login-first_login
| eval max_possible_distance=travel_time*1000
| eval actual_distance=... (geo distance calculation)
| where actual_distance > max_possible_distance
## Splunk: Detect brute force
index=authentication action=failure
| stats count by user, src_ip
| where count > 5
| eval time_window=5
| where _time > relative_time(now(), "-5m")
## Splunk: Detect off-hours admin login
index=authentication action=success user_role=admin
| eval hour=strftime(_time, "%H")
| where hour < 6 OR hour > 22
| stats count by user, src_ip, hour
| where count > 0
## Splunk: Detect credential stuffing
index=authentication action=failure
| stats dc(user) as user_count, count as attempt_count by src_ip
| where user_count > 10 AND attempt_count > 20
Tool Comparison
| Tool | Type | Best For | overhead | Key Features | Integration |
|---|---|---|---|---|---|
| HaveIBeenPwned | Compromised Password Check | All | Free | Breach database, API, password check | Azure AD, Okta, custom |
| NIST Password Validator | Password Policy | NIST compliance | Free | NIST 800-63B password validation | Custom |
| zxcvbn | Password Strength | Developer, web | Free | Password strength estimation, crack time | Web, custom |
| Dropbox zxcvbn | Password Strength | Developer, web | Free | Password strength estimation | Web, custom |
| OpenSSL | Certificate, Crypto | Custom, developer | Free | Certificate management, encryption, TLS | Custom |
| Let's Encrypt | Free Certificates | Web, API, small orgs | Free | Free SSL/TLS certificates, auto-renewal | Web server, CDN |
| Certbot | Free Certificate Automation | Let's Encrypt users | Free | ACME client, auto-renewal, web server | Linux, web server |
| ACME protocol | Certificate Automation | Let's Encrypt, custom CA | Free | Automated certificate issuance, renewal | PKI, web server |
| Step CA | Private CA | DevOps, internal PKI | Free | Private CA, ACME, short-lived certificates | DevOps, Kubernetes |
| Boundary | Certificate-Based Access | HashiCorp ecosystem | Free | Certificate-based access, session recording | HashiCorp ecosystem |
| Headscale | Self-Hosted Tailscale | Self-hosted, budget | Free | Self-hosted Tailscale control server | Self-hosted |
| WireGuard | Modern VPN | Modern VPN, fast | Free | Modern VPN protocol, fast, simple | Linux, mobile |
| OpenVPN | VPN | Traditional VPN, flexible | Free | SSL VPN, flexible, widely supported | All platforms |
| IPsec | VPN | Traditional VPN, standard | Free | Standard VPN protocol, widely supported | All platforms |
| StrongSwan | IPsec VPN | Linux IPsec | Free | IPsec VPN, IKEv2, strong crypto | Linux |
| FreeRADIUS | RADIUS Server | Network access, WiFi, VPN | Free | RADIUS server, authentication, accounting | Network |
| PacketFence | NAC | Network access control | Free | NAC, 802.1X, captive portal, compliance | Network |
| Keycloak | Open-source IAM | Open-source, Java | Free | SSO, Identity Brokering, Social Login, MFA, CIAM | Open-source |
| Authentik | Open-source IAM | Self-hosted, modern | Free | SSO, MFA, Proxy, Forward Auth, CIAM | Self-hosted |
| Gluu | Open-source IAM | Open-source, enterprise | Free | SSO, SAML, OIDC, OAuth, FIDO | Open-source |
| Shibboleth | Open-source SAML | Open-source, SAML | Free | SAML 2.0, federation, SSO | Open-source |
| SimpleSAMLphp | Open-source SAML | PHP, SAML | Free | SAML 2.0, PHP-based, lightweight | Open-source |
| phpCAS | Open-source CAS | PHP, CAS | Free | CAS (Central Authentication Service), PHP | Open-source |
| Apereo CAS | Open-source CAS | Java, CAS | Free | CAS, Java, enterprise features | Open-source |
| Spring Security | Application Security | Java, Spring | Free | Authentication, authorization, OAuth, SAML, OIDC | Java, Spring |
| Passport.js | Application Security | Node.js | Free | Authentication, 500+ strategies, OAuth, SAML | Node.js |
| Authlib | Application Security | Python | Free | Authentication, OAuth, OIDC, SAML | Python |
| Casbin | Application Security | Multi-language | Free | Authorization, RBAC, ABAC, ACL | Multi-language |
| Open Policy Agent (OPA) | Application Security | Cloud-native | Free | Policy-based authorization, Rego, Kubernetes | Cloud-native |
| Cerbos | Application Security | Modern, API | Free | Authorization, policy, API, modern | Modern, API |
| Google Zanzibar | Application Security | Google-scale | N/A | Authorization, relationship-based, Google-scale | Google-scale |
Implementation Roadmap: 4 Weeks
| Week | Focus | Deliverable | Owner |
|---|---|---|---|
| 1 | Password policy + MFA | Strong password policy, MFA enabled for all | Security |
| 2 | Credential vault + rotation | Vault deployed, service accounts rotated, admin creds vaulted | Security Engineer |
| 3 | Passwordless pilot + monitoring | Passwordless pilot for IT, authentication monitoring setup | Security + IT |
| 4 | Full rollout + training | Passwordless for all users, training, monitoring operational | HR + Security |
Common Audit Failures and Fixes
| Failure | Auditor's Question | Fix | Timeline |
|---|---|---|---|
| Weak password policy | "What is your password policy?" | Strengthen password policy, enable compromised check | 1-2 weeks |
| No MFA | "How do you verify user identity?" | Deploy MFA for all users | 2-4 weeks |
| Plaintext password storage | "How are passwords stored?" | Implement secure hashing (Argon2id/bcrypt) | 2-4 weeks |
| No credential vault | "Where are service account passwords stored?" | Deploy credential vault (HashiCorp, CyberArk) | 2-4 weeks |
| No credential rotation | "When do you rotate credentials?" | Implement automated rotation for all credentials | 2-4 weeks |
| Shared credentials | "Who has access to this admin password?" | Eliminate shared credentials, use individual accounts + PAM | 2-4 weeks |
| No authentication monitoring | "How do you detect authentication anomalies?" | Implement SIEM rules for authentication events | 2-4 weeks |
| No passwordless option | "Do you support passwordless authentication?" | Enable passwordless (FIDO2, passkeys, Windows Hello) | 4-8 weeks |
| Weak password reset | "How do users reset passwords?" | Implement secure SSPR with MFA | 1-2 weeks |
| No compromised password check | "Do you check for breached passwords?" | Enable HIBP check or similar | 1-2 weeks |
| Service account hardcoded credentials | "Are service account credentials hardcoded?" | Move to vault, implement runtime injection | 2-4 weeks |
| No certificate management | "How do you manage certificates?" | Implement certificate lifecycle management | 2-4 weeks |
| No biometric privacy controls | "How do you protect biometric data?" | Implement biometric privacy controls, templates only, encryption | 2-4 weeks |
| Weak API authentication | "How do you authenticate API calls?" | Implement OAuth 2.0 + mTLS for APIs | 2-4 weeks |
| No break-glass authentication | "How do you handle emergency access?" | Implement break-glass with enhanced logging | 1-2 weeks |
Illustrative Scenarios
Illustrative scenario, a composite example for guidance, not a specific Singahi engagement or a verified outcome.
Illustrative Scenario 1: SaaS Company Implements Passwordless for 800 Users
Company: 800-employee SaaS, weak passwords, no MFA, frequent credential stuffing attacks
Challenge: Credential stuffing attacks, weak passwords, no MFA, audit finding on A.5.17
Solution:
- Implemented strong password policy with HIBP compromised check
- Deployed MFA for all users (TOTP app + push notification)
- Deployed YubiKey FIDO2 keys for all 50+ admin accounts
- Implemented passwordless (FIDO2 + passkeys) for all users via Azure AD
- Deployed HashiCorp Vault for 200+ service accounts with automated rotation
- Implemented self-service password reset with MFA verification
- Deployed SIEM rules for authentication monitoring (50+ rules)
- Implemented certificate-based authentication for service-to-service APIs
- Trained all users on passwordless and passkey usage
- Implemented break-glass procedure with pre-approved emergency accounts
Outcome: 100% MFA enrollment. 85% passwordless adoption within 6 months. Credential stuffing attacks reduced by 95%. Service account credentials never hardcoded. Authentication incidents reduced by 90%. Passed ISO 27001 audit with zero findings on A.5.17.
Illustrative Scenario 2: Bank Implements Hardware MFA and Vault for 2,000 Employees
Company: 2,000-employee bank, SMS OTP for MFA, no hardware keys, service accounts in spreadsheets
Challenge: RBI requirement for strong MFA, SMS OTP not sufficient for banking, no credential vault
Solution:
- Replaced SMS OTP with hardware tokens (YubiKey 5 NFC) for all employees
- Implemented biometric + hardware key for high-risk roles (CISO, admin, finance)
- Deployed CyberArk for PAM and credential vault (500+ service accounts)
- Implemented automated rotation for all service accounts (90 days)
- Implemented certificate-based authentication for all internal APIs
- Implemented passwordless for customer-facing applications (FIDO2 + passkeys)
- Deployed SIEM with 100+ authentication monitoring rules
- Implemented adaptive authentication (risk-based step-up MFA)
- Implemented break-glass with dual control and HSM-backed keys
- Trained all employees on hardware key usage and security
Outcome: 100% hardware MFA adoption. Zero SMS OTP usage. 500+ service accounts in vault with automated rotation. API authentication fully certificate-based. Authentication incidents reduced by 88%. RBI audit passed with no findings. Customer authentication fraud reduced by 75%.
Multi-Framework Mapping
| ISO 27001:2022 A.5.17 | SOC 2 CC6.1 | PCI DSS 8.2 | NIST 800-53 IA-2 | CIS Controls 6.2 | COBIT 2019 DSS05 |
|---|---|---|---|---|---|
| Authentication information | Logical access controls | Strong authentication | Identification and authentication | Account management | Managed security services |
FAQ
Q: Does A.5.17 require MFA for all users or just privileged users?
A: MFA is required for all privileged access. For standard users, MFA is highly recommended and considered best practice. The standard requires strong authentication for sensitive access at minimum.
Q: What is the best password hashing algorithm?
A: Argon2id is the current best practice (OWASP recommendation). bcrypt is also excellent and widely supported. scrypt is good for memory-hard requirements. PBKDF2 is acceptable with high iteration counts. Never use MD5, SHA-1, or SHA-256 for password hashing.
Q: Can we store passwords in plaintext for any reason?
A: No. Never store plaintext passwords. Always hash passwords with a strong algorithm (Argon2id, bcrypt). If you need to verify passwords (e.g., for integration), use a secure vault or delegated authentication.
Q: Does A.5.17 require passwordless authentication?
A: Not required, but highly recommended. Passwordless (FIDO2, passkeys, Windows Hello) is stronger than passwords and is acceptable for ISO 27001. Many auditors view passwordless as a sign of mature security.
Q: How do we handle legacy systems that don't support modern authentication?
A: Use PAM for legacy system access, implement MFA at the gateway level, use VPN with MFA for remote access, and plan migration. Document the compensating controls and migration plan.
Q: What is the minimum evidence for A.5.17?
A: Password policy, hashing algorithm documentation, MFA enrollment records, credential vault records, rotation logs, authentication monitoring logs, and passwordless implementation records (if applicable).
Q: Can we use SMS OTP for MFA?
A: SMS OTP is acceptable for low-risk access but is not recommended for high-risk or privileged access due to SIM swapping and interception risks. Use TOTP apps, push notifications, or hardware keys for better security.
Q: How do we handle biometric data privacy?
A: Store templates (not raw images), encrypt, separate from other data, obtain consent, allow deletion, and conduct a DPIA. Follow DPDP Act and GDPR requirements for biometric data.
Q: Does A.5.17 require certificate-based authentication?
A: Not required for all users, but certificate-based auth is recommended for high-security environments, service-to-service communication, and admin access. At minimum, use certificates for API and service account authentication.
Q: How often should we rotate passwords?
A: For user passwords with MFA: never (or 180 days). For admin passwords: 90 days (or never if hardware MFA). For service accounts: 90 days or automated rotation. For API keys: 90 days or automated rotation. For certificates: per validity period (typically 1-2 years).
Need help? Contact us for a 20-minute readiness call.
Q: What is the difference between A.5.17 and A.8.5? A: A.5.17 covers the lifecycle of authentication information (creation, distribution, storage, rotation, revocation). A.8.5 covers the actual authentication process (how users prove their identity). A.5.17 is the "key management" while A.8.5 is the "door lock." Both are required for complete authentication security.
Q: How do we handle authentication information for third-party contractors? A: Create dedicated accounts with time-bound access, enforce MFA, use conditional access (location, time), monitor all activity, revoke immediately upon contract end, and conduct access reviews monthly. Never share internal employee credentials with contractors.
Q: What is a credential vault and why do we need one? A: A credential vault (HashiCorp Vault, CyberArk, Azure Key Vault, AWS Secrets Manager) is a secure system for storing and managing credentials. It provides encryption, access controls, rotation, audit logging, and API access. Essential for service accounts, API keys, and shared credentials. Without a vault, credentials are often hardcoded in code or stored in spreadsheets.
Q: How do we handle authentication information during mergers and acquisitions? A: Integrate identity systems, harmonize password policies, migrate credentials to the acquiring organization's vault, conduct access reviews for all inherited accounts, revoke redundant accounts, and ensure consistent MFA enforcement across the merged entity.
Q: What is adaptive authentication and how does it relate to A.5.17? A: Adaptive authentication adjusts authentication strength based on risk signals (location, device, behavior, time). It requires dynamic credential management, different credentials or factors for different risk levels. This is part of A.5.17 because it involves managing multiple authentication factors and their deployment based on risk.
Q: How do we handle authentication information for IoT devices? A: IoT devices should use certificates (X.509) or TPM-based authentication, not passwords. Use device-specific credentials, store in vault, rotate via automated processes, and monitor for anomalous authentication. Never use default passwords on IoT devices.
Q: What is the role of A.5.17 in Zero Trust architecture? A: Zero Trust requires strong, verifiable authentication for every access request. A.5.17 ensures the credentials used in Zero Trust are properly managed, rotated, and protected. Without proper credential management, Zero Trust cannot function securely.
Indian Regulatory Context
DPDP Act 2023 and Authentication Information
| DPDP Act Requirement | Authentication Information Implication | Implementation |
|---|---|---|
| Section 6, Consent | Users must authenticate to provide or withdraw consent | Strong authentication for consent management portals |
| Section 11, Data Principal Rights | DSAR systems require strong authentication to prevent unauthorized access | MFA for data subject access request systems |
| Section 9, Children's Data | Enhanced authentication for systems processing children's data | AAL3+ authentication for children's data systems |
| Section 13, Grievance Redressal | Secure authentication for grievance portals | MFA + audit logging for grievance access |
| Section 33, Penalties | Authentication failures leading to breach = potential fine | Implement strongest authentication for high-risk systems |
RBI Guidelines for Authentication Information
| RBI Guideline | Authentication Requirement | Implementation |
|---|---|---|
| Multi-factor authentication | All high-risk transactions require MFA | Hardware tokens or biometric + PIN for banking |
| Password complexity | Strong passwords for all banking systems | 12+ characters, no dictionary words, breach detection |
| Credential rotation | Regular rotation of service account credentials | 90-day automated rotation for core banking systems |
| Credential vault | Secure storage for all banking credentials | HSM-backed vault for banking credentials |
| Audit logging | All authentication events logged and retained | 1-year retention for authentication logs |
| Break-glass | Emergency access procedures with dual control | Pre-approved emergency accounts, HSM-backed, 24-hour expiry |
SEBI and IRDAI Authentication Requirements
| Regulator | Authentication Requirement | Implementation |
|---|---|---|
| SEBI | Strong authentication for trading systems, broker portals | Hardware keys for admin, TOTP for traders, biometric for mobile |
| IRDAI | Secure authentication for insurance portals, customer data | MFA for customer portals, certificate-based for APIs |
| CERT-In | Multi-factor authentication for critical infrastructure | AAL3 for all critical systems, AAL4 for admin |
Continuous Improvement
Authentication Information Maturity Model
| Level | Name | Characteristics | Credential Management |
|---|---|---|---|
| 1 | Ad Hoc | No password policy, shared credentials, no vault | Passwords in spreadsheets, no rotation |
| 2 | Developing | Basic password policy, some MFA, manual rotation | Some service accounts in vault, quarterly rotation |
| 3 | Defined | Strong password policy, MFA for all, credential vault | All service accounts in vault, automated rotation |
| 4 | Managed | Passwordless, adaptive auth, automated lifecycle | Full automation, predictive rotation, AI monitoring |
| 5 | Optimized | Zero Trust, continuous validation, self-healing | Self-healing credentials, AI-driven anomaly detection |
Annual Improvement Agenda
| Month | Focus | Activities | Deliverable |
|---|---|---|---|
| January | Password policy review | Update policy based on NIST, industry trends | Updated password policy v2.X |
| February | MFA enrollment push | Target non-enrolled users, enforce MFA | 100% MFA enrollment report |
| March | Credential vault audit | Review all credentials, rotation compliance, access | Vault audit report |
| April | Passwordless pilot | Expand passwordless to additional user groups | Passwordless adoption report |
| May | Authentication monitoring review | Tune SIEM rules, reduce false positives | Tuned SIEM rule set |
| June | Mid-year metrics review | Analyze trends, identify improvement areas | Mid-year metrics dashboard |
| July | Service account review | Inventory, rotation, privilege review | Service account review report |
| August | Certificate renewal cycle | Renew expiring certificates, update automation | Certificate renewal report |
| September | Training refresh | Update training materials, new hire onboarding | Updated training program |
| October | Audit preparation | Gather evidence, mock audit, fix gaps | Audit-ready evidence package |
| November | Incident response drill | Test authentication incident response | Incident response test report |
| December | Year-end review | Complete review, plan next year | Annual improvement plan |
Need help? Contact us for a 20-minute readiness call.
Q: How do we handle authentication information for DevOps pipelines? A: DevOps pipelines require service accounts, API keys, and deployment credentials. Use dedicated CI/CD service accounts, store credentials in vault with short-lived tokens, implement OIDC for cloud deployments, rotate pipeline credentials automatically, and audit all pipeline access. Never store credentials in pipeline configuration files or environment variables in plain text.
Q: What is the role of A.5.17 in cloud security? A: Cloud environments rely heavily on API keys, service principals, and IAM roles. A.5.17 ensures these credentials are properly managed: cloud provider API keys stored in vault, IAM roles scoped with least privilege, cross-account roles reviewed quarterly, and cloud credentials rotated per provider best practices (AWS: 90 days, Azure: 1 year for SP secrets, GCP: 90 days for service account keys).
Q: How do we handle authentication information for disaster recovery? A: DR systems need authentication credentials that work independently of primary systems. Store DR credentials in a separate vault, ensure DR credentials are not dependent on primary infrastructure (e.g., don't store DR vault credentials in primary AD), test DR authentication quarterly, and document DR credential recovery procedures.
Q: What is the impact of quantum computing on authentication information? A: Quantum computing threatens current asymmetric encryption (RSA, ECC) used in certificates and key exchange. While quantum-safe algorithms are still being standardized, organizations should: monitor NIST post-quantum cryptography standards, plan for certificate algorithm migration (RSA → lattice-based), and ensure crypto-agility (ability to switch algorithms quickly).
Additional Illustrative Scenarios: Indian Authentication Incidents
Illustrative Scenario 3: Indian E-commerce, Credential Stuffing Attack (2023)
What happened: An Indian e-commerce platform with 5 million users suffered a credential stuffing attack. Attackers used 2 million leaked credentials from other breaches to attempt logins. The platform had no MFA, no breach detection, and no rate limiting. 15,000 accounts were compromised.
Impact:
- 15,000 customer accounts compromised
- Fraudulent orders:
- Customer data access (addresses, partial card numbers, order history)
- DPDP Act 2023 notification required
- RBI notification for payment data exposure
- Customer churn: 8% in affected segment
- Remediation overhead: (MFA deployment, incident response, customer communication, legal)
Root causes:
- No MFA on customer accounts
- No credential breach detection (Have I Been Pwned integration)
- No rate limiting on login endpoints
- No account takeover detection
- No monitoring for impossible travel or anomalous login patterns
- Weak password policy (8 characters, no breach detection)
Lessons:
- Implement MFA on all accounts (customer + employee)
- Integrate breach detection (Have I Been Pwned API, SpyCloud)
- Implement rate limiting (5 attempts per 15 minutes, CAPTCHA after 3 failures)
- Deploy account takeover detection (UEBA, impossible travel, new device alerts)
- Implement progressive authentication (stronger auth for sensitive actions)
- Monitor for credential stuffing patterns (same password across multiple accounts)
- Force password reset for breached credentials
Illustrative Scenario 4: Indian Government Portal, Default Admin Credentials (2022)
What happened: A state government portal for citizen services was found to have default admin credentials (admin/admin123) on the administrative backend. The portal had been live for 2 years without changing defaults. A security researcher discovered and responsibly disclosed the issue.
Impact:
- 2 years of potential unauthorized admin access
- 500,000+ citizen records potentially accessible
- Portal taken offline for 3 weeks for security remediation
- CERT-In notification required
- Reputational damage for government digital initiatives
- Remediation overhead: (security audit, penetration testing, new authentication system, monitoring)
Root causes:
- Default credentials never changed after deployment
- No initial security configuration review
- No periodic authentication review
- No penetration testing before launch or annually
- No security awareness among deployment team
- No change management process for security configurations
Lessons:
- Change all default credentials before deployment (Day 1 checklist)
- Conduct security configuration review before go-live
- Implement annual penetration testing for all internet-facing systems
- Deploy automated scanning for default credentials (Nessus, OpenVAS)
- Include authentication security in change management process
- Train deployment teams on security baselines
- Implement break-glass admin accounts with MFA only (no default passwords)
Need help? Contact us for a 20-minute readiness call.