UnixTime

Research Note

Authentication Mechanism Review Checklist

Use this checklist during design review, audit preparation, or system assessment to test whether authentication behavior is secure.

On this page

When to use this

Use this checklist during design review, audit preparation, or system assessment to test whether authentication behavior is secure.

Checklist

  • Authentication method is linked to risk assessment.
  • MFA is required for high-risk access where justified.
  • MFA factors are different types.
  • Password or secret entry is masked.
  • Failed attempts trigger lockout, delay, throttling, alert, or equivalent control.
  • Error messages do not reveal account existence or system internals.
  • Recovery process is controlled.
  • Authentication logs are retained and reviewed where required.
  • Legacy weaknesses have documented compensating controls.

Review table

System Access type Authentication method Risk level Gap Compensating control Owner
TBD TBD TBD Low/Medium/High TBD TBD TBD