Authentication & Authorization

Authentication and authorization are fundamental security controls that determine who can access a system and what actions they can perform. This document outlines the requirements and standards for implementing robust authentication and authorization as part of the Definition of Done.

Purpose

The purpose of these authentication and authorization requirements is to:

• Verify the identity of users and systems accessing our applications
• Control access to resources based on verified identities
• Implement the principle of least privilege
• Protect sensitive functionality and data from unauthorized access
• Provide a consistent authentication and authorization approach across our applications

Authentication Requirements

Identity Verification

• User identities must be verified through strong authentication methods
• Multiple authentication factors should be used for sensitive systems or operations
• Authentication credentials must be protected in transit and at rest
• Account creation and verification processes must include identity validation steps
• User identities must be unique within the system

Password Requirements

• Minimum password length of 12 characters
• Password complexity requirements must be enforced
• Password history policies must prevent reuse of recent passwords
• Secure password reset procedures must be implemented
• Default passwords must be changed upon first use
• Passwords must be securely hashed using strong algorithms (e.g., bcrypt, Argon2)
• Plain text passwords must never be stored or transmitted

Multi-Factor Authentication (MFA)

• MFA must be available for all user accounts
• MFA must be mandatory for administrative accounts and users with elevated privileges
• MFA must be mandatory for accessing sensitive data or performing critical operations
• Multiple MFA options should be available (e.g., app-based tokens, hardware tokens, SMS)
• MFA implementation must follow industry best practices and standards

Session Management

• Session identifiers must be randomly generated and unique
• Session timeouts must be implemented (idle and absolute)
• Sessions must be invalidated on logout
• Sessions must be regenerated after authentication
• Session data must be securely stored
• Concurrent session controls should be implemented as appropriate

Authentication Failure Handling

• Account lockout mechanisms must be implemented
• Temporary lockouts should be used after multiple failed attempts
• Failed authentication attempts must be logged
• Clear error messages must be provided without revealing sensitive information
• Notification of suspicious authentication activity

Authorization Requirements

Access Control Models

• Role-Based Access Control (RBAC) should be implemented for most applications
• Attribute-Based Access Control (ABAC) should be considered for complex permissions
• Mandatory Access Control (MAC) may be required for highly secure systems
• The chosen access control model must be consistently applied

Principle of Least Privilege

• Users must be granted the minimum privileges necessary for their role
• Default access should be "deny all"
• Temporary privilege elevation should be used when needed (just-in-time access)
• Privilege separation should be implemented for critical operations
• Regular privilege reviews must be conducted

Authorization Checks

• Authorization checks must be performed at the resource level
• Authorization must be verified for every request
• Authorization checks must be enforced on the server side
• User interfaces should adapt based on authorization (hiding unavailable options)
• Direct object reference protection must be implemented
• Authorization bypass attempts must be logged and monitored

Administrative Access

• Administrative access must be strictly controlled
• Separate accounts should be used for administrative vs. regular activities
• Administrative actions must be logged and auditable
• Emergency access procedures must be defined and controlled
• Privileged access management solutions should be used for sensitive environments

Identity and Access Management (IAM)

Centralized Authentication

• Authentication should be centralized when possible
• Single Sign-On (SSO) should be implemented across applications
• Identity provider integrations should follow security best practices
• Federation standards (SAML, OAuth, OpenID Connect) should be used correctly

User Lifecycle Management

• Comprehensive processes for user onboarding, changes, and offboarding
• Regular access reviews and certifications
• Automated deprovisioning when users leave or change roles
• Self-service capabilities for non-sensitive operations
• Segregation of duties in IAM administration

Authorization Governance

• Clear ownership of authorization policies
• Documented approval processes for access changes
• Regular review and validation of authorization rules
• Automated testing of authorization controls
• Auditing and compliance reporting

Definition of Done Criteria

For authentication and authorization to meet the Definition of Done, the following criteria must be satisfied:

• Authentication mechanisms comply with defined requirements
• Authorization model is appropriate for the application's needs
• All resources are protected by proper authorization checks
• Authentication and authorization are tested thoroughly
• Privileged operations have additional security controls
• Authentication and authorization are centrally logged
• Access controls are documented and reviewed

References

• OWASP Authentication Cheat Sheet
• OWASP Authorization Cheat Sheet
• NIST Special Publication 800-63: Digital Identity Guidelines
• OAuth 2.0 Security Best Current Practice

Related Documents

• Security Standards
• Data Protection
• Secure Coding
• Security Testing