# Authentication Policy (Comprehensive, EU‑Aligned) **Document owner:** [Owner/Role] **Approved by:** [Steering Committee / CISO] **Effective date:** [YYYY-MM-DD] **Review cadence:** [Annually] --- ## 1. Purpose & Scope This policy establishes mandatory requirements for authentication across [Organization] systems, including: - Passwords and memorized secrets - Multi‑factor authentication (MFA) - Authenticator Assurance Levels (AALs) - Out‑of‑band (OOB) authentication - Central vs. local authentication - Special cases (BitLocker, local admin accounts, device/smart‑card/mobile PINs) - Session management and reauthentication It is aligned with **NIST SP 800‑63B** (as best practice), **CIS Controls v8.1**, and **ENISA guidance**. It applies to all employees, contractors, vendors, and service accounts. This policy supports GDPR principles of **data protection by design** and **accountability**. --- ## 2. Policy Statements ### 2.1 Assurance Levels - [Organization] **shall** align with Authenticator Assurance Levels (AALs): - **AAL1:** Single‑factor authentication. Permitted only for low‑sensitivity internal apps or offline scenarios. - **AAL2:** Multi‑factor authentication combining two categories (e.g., password + OTP app, push, QR code OOB). Required for employee logins, SaaS, and external‑facing systems. - **AAL3:** High‑assurance, hardware‑backed MFA (e.g., FIDO2, smartcards). Required for privileged/admin access, production, and regulated data systems. ### 2.2 Memorized Secrets (Passwords) - **Length:** - **15+ characters** when used as a single factor. - **8+ characters** when used only in combination with MFA. - Systems **must** allow at least **64 characters**, accept **spaces/Unicode**, and **must not truncate** entered secrets. - **Composition:** No mandatory composition rules (no required mixes of upper/lower/digit/symbol). - **Screening:** New/changed passwords **must** be screened against **blocklists** of commonly used, expected, or **compromised** passwords (including organization‑specific terms). - **Expiration:** **No periodic expiration**. Change **only** upon suspected compromise or policy breach. - **Usability:** **Allow paste/autofill** and provide a **“show password”** option. **No password hints** and **no knowledge‑based questions (KBA)**. - **Reuse:** Password **must not** match the user’s current or any **of the last 5** passwords (where technically supported). - **Rate limiting:** Verifiers **must** throttle online guessing (progressive delays; avoid permanent lockout DoS). - **Storage:** Store only **salted, hashed** verifiers using **Argon2id (preferred)**, **bcrypt**, or **PBKDF2** with strong parameters; per‑credential unique salt; optional server‑side **pepper** protected separately. - **Transport:** Collect and transmit passwords only over **authenticated, encrypted channels** (TLS 1.2+). - **Managers:** Users **should** use an approved **password manager** to generate/store unique passwords. ### 2.3 Activation Secrets (Local Unlock PINs/Biometrics) - **Definition:** An **activation secret** (e.g., device PIN, Windows Hello PIN, smart‑card PIN, FIDO2 PIN) is used **only to unlock a local authenticator/TPM/smart‑card**. It is **not transmitted** to a server and is **not** a password. - **Requirements:** Activation secrets **shall** remain on the device/token; **shall be ≥4 characters** and **should be ≥6**; online guesses **shall** be throttled/limited locally. - **Biometrics:** May be used **only** to unlock a device‑bound key and **must not** be the sole authenticator. ### 2.4 Acceptable Authenticators - **Allowed:** FIDO2/WebAuthn keys; smartcards with PIN; authenticator apps (TOTP, push, **QR‑code sign‑in**); device‑bound biometrics (unlock only). - **Fallback only:** SMS/voice OTPs. - **Prohibited:** Email OTP; KBA/security questions. ### 2.5 Out‑of‑Band (OOB) Methods - OOB authenticators **must** use **encrypted, device‑bound** channels (e.g., push or QR‑code flows) and **must** implement rate‑limiting. - **SMS/voice/email** **must not** be used as **primary** MFA. SMS/voice may be used **only** as recovery with risk acceptance. ### 2.6 Central vs. Local Authentication - **Central IdP/SSO** **must** be the default for enterprise access. - **Local authentication** (device‑only) may be used for **pre‑boot**, **offline**, or **recovery**, but **must** meet the applicable AAL and other requirements in this policy. ### 2.7 BitLocker Pre‑Boot Authentication - **TPM only:** AAL1; not acceptable for sensitive systems. - **PIN only (no TPM):** AAL1; acceptable only with compensating controls. - **TPM + PIN:** AAL2; recommended baseline for enterprise laptops. - **TPM + PIN + post‑boot FIDO2/smart‑card MFA:** Meets AAL3 for administrative systems. ### 2.8 Local Administrator Accounts - Local admin accounts **must not** share passwords across devices. - **LAPS or equivalent** **must** randomize and rotate local admin passwords. - Local admin accounts **must not** be used for daily administration; use **central privileged accounts with MFA** (AAL2/AAL3). ### 2.9 Reauthentication & Session Management - **AAL1:** Reauthentication **≤ 30 days**. - **AAL2:** Reauthentication **≤ 24 hours**, inactivity timeout **≤ 1 hour**. - **AAL3:** Reauthentication **≤ 12 hours**, inactivity timeout **≤ 15 minutes**. ### 2.10 Enforcement - Violations **may** result in disciplinary action or revocation of access. - Non‑compliant systems **must** be remediated or formally excepted with CISO approval. --- ## 3. References - NIST SP 800‑63B (Digital Identity Guidelines, 2023 update) - CIS Controls v8.1 (Controls 5 & 6) - ENISA Guidelines on Identity and Access Management - OWASP Authentication Cheat Sheet