Enterprise authentication policy
Implementing effective authentication on smartphones, tablets, laptops and desktop PCs
Authentication is the process of verifying the identity of either a user or a device, before authorizing access to devices or services.
In each case, the authentication methods available will depend on what service is being accessed and from what type of device. Each authentication method will have its own strengths and weaknesses.
As an organization, it is important to implement authentication steps that balance both the usability and the security of your devices and services. This guidance will present a range of different use cases and the common authentication methods that are available, highlighting both the security benefits and security risks. This will help you to design and deploy an effective authentication policy for your organization’s mobile devices.
On mobile devices, user authentication is the main method for protecting against unauthorized access to devices and the data stored on them. It also plays an important part in protecting against unauthorized changes to device settings.
Given that most enterprise services will be accessed from mobile devices, it is important that:
The identity of the user of a mobile device be verified. This will ensure that only those people who are meant to have access are authorized.
If the service contains data you consider sensitive, the identity and health of a device should also be verified. This allows you to prevent devices that are not compliant with enterprise policy from accessing your services.
Attackers will always look to target weaknesses in authentication systems. Many common attacks look for simple ways to guess or steal user or device credentials.
With these credentials, attackers can impersonate valid users and devices, gaining access to data stored on devices, and connecting remotely enterprise services. They will also use this foothold to penetrate further into corporate networks.
Given these potential consequences, it should be clear that implementing effective authentication is essential for organizations wishing to protect against account, device or network compromise.
First and foremost, you need to consider the risks to the assets that you are trying to protect, the data they hold and the authentication use cases that you face. This information will allow you to formulate an appropriate policy for authenticating both users and devices, before granting access to systems and services.
For each authentication use case, you should consider both the usability and security of the available authentication methods.
The main use cases to consider are:
User to device - The user is only granted access to the device after successfully authenticating to it.
User to service - The user is only able to access enterprise services after successfully authenticating to the service, via their device.
Device to service - Only devices which can authenticate to the enterprise are granted access.
For each of the use cases above, when deciding on appropriate authentication mechanisms, it is important to consider which of the available authentication mechanisms are most appropriate to use, taking into account both security and usability.
In the case of user to device authentication, common methods of authentication include:
Authentication Method | Consideration |
|---|---|
Passwords or PINs | On mobile devices, passwords or PINs are usually the primary method for user to device authentication. They do still suffer from the risks of being guessed or brute forced. However, most mobile devices include technology that strengthens user to device passwords or PINs against an offline brute force attack, limiting the ability of an attacker to repeatedly guess passwords or PINs. |
Biometrics | Many mobile devices now also have biometric authentication features such as fingerprint and face recognition. These can offer convenient and secure alternatives to passwords. Biometrics can vary in the false positive and negative rates they produce, and in their ability to detect a spoofed biometric. |
In the case of user to service authentication and device to service authentication, common authentication methods include
Authentication Method | Consideration |
|---|---|
Passwords | This is still by far the most common method used today for user to service authentication as passwords are relatively easy to implement. Passwords do suffer from some major weaknesses though. |
Certificates | These are long-term credentials which contain a private key and signed public key. Access to the private key is required to authenticate to other services and can be used to authenticate the device or the user to the service. |
FIDO 2 authenticators | FIDO2 is a set of standards that provides cryptographic authentication using public-key credentials and protocols to provide more secure alternatives to passwords for accessing online services. It also mitigates many of the security risks associated with passwords, including phishing, credential theft and replay attacks. |
The security of any authentication mechanism will depend on the specific implementation and combination of factors that are chosen.
In some scenarios, use of a single factor may be appropriate. For example, in the case of user to device authentication, use of a single factor to authenticate to the device may be enough when taking into account mitigations such as brute force protection or hardware protected storage, available on many of today’s mobile devices.
For service level authentication though, in cases where a single factor of authentication does not provide an appropriate level of security, multi-factor authentication (MFA) can significantly strengthen security…
Built-in device authentication mechanisms that can be extended to integrate directly with your chosen identity provider to provide both passwordless and multi-factor authentication using public key based credentials bound to the device can often provide the best balance of usability and security. A good example of this is Windows Hello for Business. Use of FIDO2 security keys may offer similar benefits where users have more than one device. However, you will need to investigate support for this on the devices and with your identity provider.
Some enterprise authentication services can also be integrated with mobile device management (MDM) to factor in environmental factors such as network location, device compliance, and device health attestation, before granting access to enterprise services. This type of conditional access can be extremely useful in zero-trust network architectures or bring your own device (BYOD) scenarios.
Enterprise single sign on can be used to sign in to online services using the single source of identity managed through your chosen identity provider. This can significantly improve the user experience by reducing the number of times authentication is required and to reducing reliance on passwords. It also makes managing joiners, movers and leavers much simpler and less error prone.
In addition to authentication mechanisms, appropriate logging should also be in place to enable monitoring of authentication and access to devices and services. Attacks on authentication systems are amongst the most prevalent you’ll face, so capturing these events into your audit logs is a highly effective way of detecting potential issues.
When designing and implementing enterprise authentication, you should:
Choose an enterprise identity provider that supports multi-factor authentication for both users and the devices your organization uses. Configure your online services to use single sign on authentication using your identity provider.
Choose authentication factors that maximise usability and provide appropriate security based on the considerations above and make sure that devices you use support them when choosing what mobile devices to use in your organization.
Provide clear authentication policies and guidance for users.
Implement pragmatic user to device authentication policies, including the use of biometrics and usable password policies.
Where possible, reduce reliance on passwords and implement passwordless authentication, such as Windows Hello.
Where passwords are required for access to services, encourage use of password managers.
For machine authentication, deploy mechanisms that use hardware-protected public key based credentials that are uniquely bound to the device. Consider, where possible, combining this with other context (e.g. on Windows you can use network location, device compliance and device health attestation). This is discussed more in the zero trust networking guidance.
Deploy enterprise single sign on for access to services. Combine this with strong user and device authentication, using multi-factor authentication or conditional access.
Implement appropriate logging and monitoring of authentication successes and failures.
