Weak authentication is a common vulnerability for information systems—it is consistently one of CISA’s top five, most frequent findings for Federal High Value Asset systems. Furthermore the 2019 Verizon Data Breach Investigations Report states that compromised passwords remain “prominent fixtures” of breaches.1 Implementing strong authentication methods across an organization can dramatically improve resilience against common cybersecurity threats such as phishing attacks and compromised credentials. Although this guide references federal standards and publications, it is not mapped to nor directly associated with any agency. These recommendations are applicable to any organization seeking to better their authentication process.
The purpose of this guide is to lay out the concept of authentication, recommend related security enhancements, and provide guidance to help plan and implement a strong authentication solution. Strong authentication is one of many pillars of a defense-in-depth cybersecurity strategy, but it is not the only solution to cybersecurity issues.
Authentication is the process of verifying that a user’s identity is genuine. Most systems require a user to be authenticated prior to granting access to the system. The user does this by entering a password, inserting a smart card and entering the associated personal identification number (PIN), providing a biometric (e.g., fingerprint, voice pattern sample, retinal scan)—or a combination of these things—to prove they are who they claim to be. The credentials provided are compared to those that have previously been associated with the user. The credential match may be performed within the system being accessed or via a trusted external source. If the credentials match, the system authenticates the identity and grants access.