Authentication is a prominent aspect of cyber security as it is end user facing and is generally the first step to access most systems. A poorly configured authentication layer can be the difference between a secure application and a complete breach. While thankfully not all exploits are critical, access to a system administrator’s account can be catastrophic. Identification and Authentication Failures is listed as number seven on the OWASP top 10, falling from its previous number two position due the widespread implementation of MFA and increased attention to security practices.
To improve the basic security of your systems:
Ensure that all your systems use Multi Factor Authentication, requiring at least a second layer of proof to validate a user.
Implement strict password controls including:
- Minimum password complexity.
- No password reuse.
- Password expiration.
- A blacklist of common words and phrases to prevent them being used in user passwords.
- Expire session tokens after a period of time and on logout to avoid session hijacking.
There are many attack vectors that a malicious actor could use to breach your authentication layer. Insufficient MFA coverage is a reoccurring issue that seems to impact many organisations, implementing multi-factor authentication on their primary site however neglecting administrative portals. This oversight can expose critical systems to attacks like brute forcing or credential stuffing.