UnixTime

Research Note

ISO 27001 A.8.5 - Secure Authentication

Authentication is the point where a system tests whether the person, service, or device claiming an identity should be accepted. Secure authentication means the logon process do...

On this page

Requirement

Requirement lens

This control asks whether authentication technology and procedures are secure enough for the access restrictions and access control policy.

“Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control.”

Plain-language meaning

Authentication is the point where a system tests whether the person, service, or device claiming an identity should be accepted. Secure authentication means the logon process does not leak unnecessary information, resists guessing and brute-force attempts, uses appropriate factors, and matches the risk of the information being accessed.

This control is related to A.5.17 Authentication Information, but it is not the same. A.5.17 focuses on handling secrets such as passwords and tokens. A.8.5 focuses on the actual authentication mechanism and procedure.

Why this matters

Weak authentication lets attackers turn guessed, stolen, reused, or phished credentials into system access. Poor error messages, no lockout, no delay, visible passwords, weak recovery flows, or repeated single-factor steps can all make unauthorized access easier.

High-risk systems usually need multi-factor authentication. Repeating the same type of factor, such as password plus PIN, is not true multi-factor authentication.

Implementation guidance

Implementer focus

Select authentication strength from risk. Sensitive information, privileged access, remote access, and high-impact systems normally need stronger authentication than low-risk internal systems.

1. Define authentication requirements by risk

Authentication requirements should consider:

  • classification and sensitivity of information;
  • access method, such as remote, local, API, privileged, or third party;
  • user role and privilege level;
  • business impact of unauthorized access;
  • regulatory or contractual requirements;
  • compensating controls where system features are limited.

2. Avoid information leakage during logon

Authentication screens and error messages should not reveal unnecessary details such as:

  • whether a user account exists;
  • operating system, service, or application version;
  • database or infrastructure details;
  • overly specific failure reasons useful to attackers.

3. Use proper multi-factor authentication where needed

Multi-factor authentication should combine different factor types:

Factor type Example
Something you know Password or passphrase
Something you have Hardware token, authenticator app, certificate
Something you are Biometric factor where appropriate

Two passwords, or a password plus another memorized PIN, are repeated single-factor authentication, not true MFA.

4. Configure secure authentication behavior

Secure authentication should include appropriate controls such as hidden password entry, lockout or throttling after failed attempts, recovery controls, logging, alerting, and session handling.

5. Use compensating controls where systems are limited

Some systems cannot provide strong authentication features. In those cases, the organization should document the limitation, assess the risk, and apply compensating controls such as network restriction, physical restriction, monitoring, delay controls, or additional gateway authentication.

Audit guidance

Auditor focus

Test whether authentication methods match risk, avoid unnecessary information disclosure, resist guessing, and use true multi-factor authentication where required.

Auditors should verify:

  • risk assessment for authentication methods;
  • authentication policy or standard;
  • MFA requirements and implementation;
  • failed logon handling;
  • lockout, delay, throttling, and recovery procedures;
  • password masking and secure input behavior;
  • error message content;
  • authentication logs and alerts;
  • compensating controls for systems with weak native authentication;
  • coverage across operating systems, applications, remote access, privileged access, and third-party access.

Evidence examples

Evidence quality

Strong evidence proves authentication strength is risk-based, technically configured, tested, and monitored.

Evidence What it proves
Authentication standard Rules are defined
Risk assessment Authentication strength is justified
MFA configuration report Different-factor MFA is implemented
Failed logon settings Guessing attempts are controlled
Error message review Logon process does not leak sensitive information
Authentication logs Activity is monitored
Exception/compensating control records Weak systems are risk-managed

Strong evidence

  • MFA is enabled for remote, privileged, and high-risk access where required.
  • Factors are genuinely different.
  • Failed attempts trigger delay, throttling, lockout, alerting, or other controls.
  • Error messages do not confirm account existence or reveal system detail.
  • Authentication limitations are documented with compensating controls.

Weak evidence

  • MFA is claimed but only repeats passwords/PINs.
  • Systems reveal whether usernames exist.
  • No lockout, throttling, or alerting exists for repeated failures.
  • Passwords are displayed or recoverable.
  • Legacy authentication weaknesses are accepted without documented risk treatment.

Common failures

Implementation watchouts

A.8.5 fails when authentication strength is chosen by default system capability instead of risk.

Failure Why it matters
Password-only access for high-risk systems Stolen credentials become full access
Repeated single-factor authentication Gives false assurance of MFA
Verbose logon errors Helps attackers enumerate accounts and systems
No failed-attempt controls Enables brute-force and guessing
Weak recovery flow Attackers bypass the main authentication path
No compensating controls for legacy systems Known weakness remains untreated

Exam traps

Exam focus

A.8.5 is about authentication technologies and procedures, not only passwords.

Trap Correct interpretation
Password plus PIN is MFA It is usually repeated single-factor authentication
Authentication errors should help users as much as possible They should not reveal unnecessary system or account information
MFA is required everywhere in the same way Authentication strength should be risk-based
If a system cannot support lockout, nothing can be done Compensating controls should be assessed and applied
A.8.5 is the same as A.5.17 A.5.17 handles authentication information; A.8.5 tests the authentication mechanism

KB-ready summary

Mentor takeaway

A.8.5 makes authentication strong enough for the access risk. Good evidence shows risk-based authentication, real MFA where needed, controlled failures, safe error messages, and compensating controls for weak systems.

  • Select authentication mechanisms based on risk and access restrictions.
  • Avoid logon messages that leak system or account information.
  • Use true MFA where risk requires it.
  • Control repeated failed attempts and recovery paths.
  • Document compensating controls for systems that cannot meet the standard.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Technological controls
  • Authentication
  • Access control
  • Audit

Note Metadata

Aliases: A.8.5, Secure Authentication

Source: 05 Annex A Technological Controls/A.8.5 Secure Authentication.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

11

links

01
02
03

Evidence required

Evidence packs and proof records that support auditability.

04

Audit checks

Audit questions, checklists, or review material connected to the control.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.