S 4.133 Appropriate choice of authentication mechanisms

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrator

The identification and authentication mechanisms for IT systems and IT applications must be designed in such a way that users can be uniquely identified and authenticated. This identification and authentication must be carried out prior to every other interaction between IT system and the user. Further interactions must be possible only after successful identification and authentication. The authentication information must be stored in such a manner as to ensure that it can only be accessed by authorised users (for the purpose of checking or amending it). The IT system must be able to establish the identify of the user in each case of interaction.

Before any user data is transmitted, the communication partner (computer, process or user) must be unambiguously identified and authenticated. Only after successful identification and authentication may useful data be transmitted. When data is received, it must be possible to unambiguously identify and authenticate its originator. All authentication data must be protected against unauthorised access and forgery.

A number of criteria are listed below which should be considered when selecting identification and authentication mechanisms. Not all commercially available systems satisfy all the criteria, and this should be taken into account when considering the options. Many IT products contain authentication systems in addition to their functionality proper, for example operating systems. Here it is necessary to check whether these satisfy the requirements or whether they need to be extended to include extra functionality. The criteria listed below are appropriate here as well.

Administration of authentication data

Security functions enabling the creation and amendment of authentication data for users must be available. It should only be possible for these functions to be executed by authorised Administrators. Where passwords are used, authorised users should be able to alter their own authentication data within predefined limits. The IT system should have a protected mechanism available in order that users can alter their passwords independently. It should be possible here to specify a minimum validity period for passwords.

Following successful logon, the time and place of the user's last successful access should be displayed.

Protection of authentication data against alteration

The IT system must protect the authentication data during processing against spying, amendment and destruction at all times. This can, for example, be achieved through encryption of password files and non-display of passwords entered.

Authentication data must be stored separately from application data.

System support

Where organisation-wide authentication procedures are used, they should only be operated on servers whose operating systems provide adequate protection against tampering.

When selecting authentication procedures, steps must be taken to ensure that these can be used as far as possible across platforms.

Error handling during authentication

The IT system should be able to terminate the logon dialogue after a predefined number of failed attempts at authentication. Following completion of an unsuccessful attempt at logon, the IT system must be able to block the user account or terminal and/or suspend the connection. After each unsuccessful authentication attempt the IT system should apply an increased delay before the next attempt at logon is allowed It must be possible to set upper limits on the length of time that can be spent attempting to log on.

Administration of user data

The IT system should provide facilities allowing different default settings to be assigned to different users. It should be possible to view and amend these. The possibility of altering user data must be restricted to the authorised Administrator. If administration of user data is to take place over a communications link, this must be adequately protected by cryptographic means.

Definition of user entries

The IT system must permit implementation of the security policy by allowing each user's security settings to be appropriately selected.

An authentication procedure should also be upgradable, e.g. to support strong authentication technologies such as the use of tokens or smart cards (see also S 5.34 Use of one-time passwords).

Password quality

When passwords are used for authentication, the IT system should offer mechanisms which satisfy the following conditions:

• Every user is forced to use his own password(s) (which he can choose himself).

• The system checks that all passwords satisfy predefined requirements e.g. as to minimum length, trivial passwords not allowed etc. It should be possible to configure the quality check for passwords individually. For example, it should be possible to specify that passwords must contain at least one special character or that certain character combinations are forbidden.

• The IT system generated passwords satisfy the defined requirements. The IT system must offer the passwords thus generated to the user.

• Password alteration must be initiated by the system on a regular basis. The period of validity of a password should be adjustable.

• Changing a password so as to reuse a previous password should be prevented by the IT system (password history).

• The password must not be displayed on the monitor during password entry.

• Following installation or when a new user is configured, the password system should force the user to change his password after he has logged on for the first time.

Requirements for authentication mechanisms for users

The IT system must check the user's identity before any other user transaction can take place. The IT system should be able to detect when user authentication data is replayed or when forged or copied user authentication data is loaded and prevent this. The IT system should only check the authentication data when it has been entered in full.

For every user it should be possible to configure separately when and from where he is allowed to access the IT system.

Logging of authentication mechanisms

The IT system must be able to log the following events:

• activation and deactivation of the logging function

• every attempt to access mechanisms for managing authentication data

• successful attempts to access authentication data

• every attempt to access user authentication data without authorisation

• every attempt to access functions for the administration of user entries

• changes to user entries

• every test of password quality that is carried out

• every instance of the use of authentication mechanisms

• every configuration of the mapping of authentication mechanisms to specific authentication events

• the installation of authentication mechanisms

Every log entry should contain the date, time, type of event, description of the subject and success or failure of the action.