ISO 27001 A.8.5: Secure authentication
What This Control Requires
Secure authentication technologies and procedures shall be established and implemented based on information access restrictions and the topic-specific policy on access control.
In Plain Language
If your authentication is weak, nothing else in your security programme matters much. Attackers do not break down the door when they can just log in. Credential stuffing, phishing, brute force - these are the everyday tools, and your authentication setup is what stops them. Secure authentication goes well beyond usernames and passwords. You need multi-factor authentication, and the strength of that MFA should match the sensitivity of what is being accessed. Modern approaches include authenticator apps, hardware security keys, certificate-based auth, and passwordless methods. The control also covers the mechanics around authentication: how you handle failed login attempts, how sessions work, and how you log authentication events. Every part of the process needs to be designed to resist real-world attacks, not just theoretical ones.
How to Implement
Match authentication strength to risk level. Standard access might use strong passwords with SSO. Access to sensitive data should require MFA. Privileged access needs enhanced MFA with phishing-resistant methods. External-facing systems should always require MFA, no exceptions. Roll out MFA across the organisation. Use authenticator apps (TOTP), push notifications, or FIDO2 hardware security keys as second factors. Avoid SMS-based MFA where possible because of SIM-swapping risks. Deploy MFA at the identity provider level so it covers all integrated applications automatically. Use modern authentication protocols. Implement OAuth 2.0, OpenID Connect, or SAML 2.0 for federated authentication. Set up SSO to reduce password fatigue and centralise security. Make sure all authentication traffic runs over TLS 1.2 or later. Configure sensible security controls around authentication. Lock accounts after 5-10 failed attempts with progressive delays. Use generic error messages that do not reveal whether the username or password was wrong. Add CAPTCHA or rate limiting to block automated attacks. Log every authentication event - successful and failed - with enough detail to investigate incidents. Get credential storage right. Hash passwords with bcrypt, scrypt, or Argon2 using unique salts. Never store passwords in plain text or reversible encryption. Only transmit credentials over encrypted channels. Check passwords against known breach databases to catch compromised credentials before attackers do. Start planning for passwordless authentication. FIDO2/WebAuthn, certificate-based auth, and passkeys are phishing-resistant by design and improve the user experience. Deploy these for high-security access now and consider broader rollout as adoption matures.
Evidence Your Auditor Will Request
- Authentication policy defining requirements by system risk level
- MFA deployment records showing coverage across systems
- Authentication protocol configuration (SSO, OAuth, SAML)
- Account lockout and brute-force protection configuration
- Authentication event logging configuration and sample logs
Common Mistakes
- MFA is not deployed for all remote access and sensitive systems
- Weak password hashing algorithms are used for credential storage
- Account lockout policies are not configured or are too lenient
- Authentication events are not logged with sufficient detail
- SMS is used as the primary MFA method despite known vulnerabilities
Related Controls Across Frameworks
| Framework | Control ID | Relationship |
|---|---|---|
| SOC 2 | CC6.1 | Related |
| SOC 2 | CC6.6 | Equivalent |
| GDPR | Art.32 | Related |
| NIS2 | Art.21(2)(j) | Equivalent |
Frequently Asked Questions
Why is SMS-based MFA considered less secure?
What is passwordless authentication?
Track ISO 27001 compliance in one place
AuditFront helps you manage every ISO 27001 control, collect evidence, and stay audit-ready.
Start Free Assessment