S 4.133 Appropriate choice of authentication mechanisms

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

The identification and authentication mechanisms of IT systems and/or IT applications must be designed in such a manner that users are clearly identified and authenticated. Identification and authentication must be carried out prior to any other interaction between the IT system and users. Any further interactions may only be possible following successful identification and authentication. The authentication information must be stored in such a manner that only authorised users can access them (can check or modify them). For each interaction, the IT system must be able to determine the user's identity.

Prior to the transmission of user data, the communication partner (computer, process or user) must have been clearly identified and authenticated. Only after successful identification and authentication may the user data be transmitted. When receiving data, it must be possible to clearly identify and authenticate its sender. All authentication data must be protected against unauthorised access and falsification.

There are different techniques by means of which the authenticity of a user can be verified. The best-known techniques are the following:

• PINs (personal identification numbers)
• passwords
• tokens such as access cards
• biometrics

For fields of application critical to security, strong authentication mechanisms should be used; here, two authentication techniques are combined, for example password plus transaction numbers (one-time passwords) or password plus chip card. For this reason, strong authentication is also often referred to as two-factor authentication. Both authentication techniques used must conform to the current state of the art.

In the following, different criteria are shown which should be taken into consideration when choosing identification and authentication mechanisms. Not all systems available on the market meet all criteria, which should be taken into consideration accordingly when choosing authentication mechanisms. In addition to their actual functionality, many IT products also contain authentication mechanisms, for example operating systems. Here, it must be examined whether they meet the requirements or whether they must be extended by additional functionalities. The following criteria are also suitable in this respect.

Authentication data administration

Security functions must be available to be able to create and modify authentication data for the users. These functions should only be carried out by authorised administrators. When using passwords, authorised users should be able to change their own authentication data within defined limits. The IT system should provide a protected mechanism to ensure that the users can change their passwords independently. Here, it should be possible to specify a minimum service life for passwords.

Following a successful login, time and place of their last successful access should be displayed to the users.

Protecting the authentication data against modification

When processing the data, the IT system must protect the authentication data at all times against espionage, modification and destruction. For example, this protection can be ensured by encrypting the password files and not displaying the entered passwords. The authentication data must be stored separately from the application data.

System support

When using organisation-wide authentication procedures, they should only be operated on servers whose operating system offers adequate protection against manipulations. When choosing authentication procedures, it should be ensured that they can be used across platforms as far as possible.

Error handling during authentication

It should be possible for the IT system to terminate login procedures after a specified number of unsuccessful authentication attempts. Following an unsuccessful login procedure, the IT system must be able to lock the user account and/or the terminal and/or disconnect the connection. After unsuccessful authentication attempts, the IT system should increasingly delay any further login attempt (time delay). It should be possible to limit the maximum duration of a login attempt.

User data administration

The IT system should offer the possibility of being able to assign different default settings to the users. It should be possible to display and change these settings. The possibility to modify user data must be limited to the authorised administrator. If the administration of the user data is to be carried out via a communication connection, such connection must be secured adequately as regards cryptographic protection.

Defining user entries

The IT system must allow the implementation of the security policy, ensuring that the corresponding security settings can be selected for each user.

It should also be possible to extend an authentication procedure, e.g. by the support of strong authentication techniques such as the use of tokens or chip cards (see also S 5.34 Use of one-time passwords).

Scope of user data

In addition to the user names and rights profile, additional information on each user should be stored (see also S 2.30 Provisions governing the configuration of users / user groups):

• At least the user's first name and surname should be included in the user administration. In addition, the telephone and room number is also helpful.
• To be able to contact the user, additional information such as the user's e-mail address, telephone number and geographical location (address, room number) should also be recorded.
• Moreover, it should be documented for which period of time the user ID should be valid. If the user ID has expired, it should be blocked.

Password quality

When passwords are to be used for authentication, the IT system should offer mechanisms meeting the following requirements (see S 2.11 Provisions governing the use of passwords):

• It is ensured that each user uses individual passwords (and can also select them themselves).
• It is checked that all passwords comply with the defined specifications (for example, minimum length, no trivial passwords). The examination of the password quality should be individually adjustable. For example, it should be possible to specify that the passwords must at least contain a special character or that certain character combinations are prohibited.
• The IT system generates passwords complying with the defined specifications. The IT system must offer the passwords generated in this way to the user.
• The system should trigger a password change regularly. It should be possible to adjust the service life of a password.
• The use of old passwords when changing the password should be prevented by the IT system (password history).
• The password should not be displayed on the screen when it is entered.
• After the installation and/or new setup of user accounts, the password system should force a password change after the user has logged in for the first time.

Biometrics

Within the meaning used in this document, biometrics refers to the automated recognition and identification of persons based on their physical characteristics. To be able to use biometric procedures for authentication, additional peripheral devices by means of which the users can be clearly authenticated based on special characteristics are required. One or more of the following biometric characteristics can be used for authentication purposes, for example:

• iris
• fingerprint
• facial proportions
• voice and speech characteristics
• handwriting
• keyboard typing patterns

In addition to numerous biometric characteristics and biometric procedures based on these characteristics, there are also huge differences between the specific biometric systems and products available. There are huge differences between the performance capabilities of biometric verification systems. When using biometric verification systems in security-critical areas, it must be ensured that they provide an acceptable recognition capability and a high level of security. It must not be possible for this system to be outwitted by means of replicas (e.g. using a face mask, wax replica of the finger, contact lenses with iris patterns...).

Authentication using tokens

Another alternative are authentication tokens, i.e. handy data media that are used as secure storage space for the information required for authentication such as cryptographic keys. Typical examples of authentication tokens are chip cards, USB sticks or devices similar to calculators to generate one-time passwords.

Requirements for user authentication mechanisms

Prior to any other user transaction, the IT system must check the user identity. In addition to this, the IT system should detect the restoration of authentication data for users or be able to prevent falsified or copied user authentication data from being installed. The IT system may only check the authentication data after they have been entered completely.

Each user should be able to individually adjust when and from where they may access the IT system.

Logging the authentication mechanisms

Authentication processes must be logged to a reasonable extent. The log files should be checked by the administrators at regular intervals. The IT system must be able to log the following events:

• switching on and off the logging
• an attempt to access mechanisms to manage authentication data
• successful attempts to access authentication data
• any attempt to access user authentication data in an unauthorised manner
• any attempt to access functions to administer user entries
• changes to user entries
• any password quality test that has been carried out
• any use of authentication mechanisms
• any configuration of the presentation of authentication mechanisms for specific authentication events
• the installation of authentication mechanisms.

Each log entry should contain date, time, type of the event, designation of the subject as well as success or failure of the action.

Review questions:

• Is it ensured that any further interactions with the system or the application are only possible following successful identification and authentication?
• Are identification and authentication mechanisms meeting the protection requirements used?
• Can authentication data for users only be created and/or changed by authorised administrators?
• When processing the authentication data, is it protected by the IT system at all times against espionage, modification and destruction?
• Can the authentication mechanisms used terminate login procedures after a specified number of unsuccessful attempts has been reached?
• Are expired user IDs blocked automatically?
• Are authentication procedures logged to an extent appropriate for the organisation?