UnixTime

Research Note

Secure Authentication Standard

Use this standard to define minimum authentication expectations for applications, operating systems, remote access, privileged access, and third-party access.

On this page

When to use this

Use this standard to define minimum authentication expectations for applications, operating systems, remote access, privileged access, and third-party access.

Authentication requirements

Access type Minimum authentication MFA required? Failed-attempt control Logging/alerting Exception allowed?
Remote access TBD Yes/No TBD TBD Yes/No
Privileged access TBD Yes/No TBD TBD Yes/No
Standard application access TBD Yes/No TBD TBD Yes/No
Third-party access TBD Yes/No TBD TBD Yes/No

Minimum checks

  • Authentication strength is risk-based.
  • MFA uses different factor types where required.
  • Logon errors do not reveal sensitive detail.
  • Failed attempts are controlled.
  • Recovery/reset flows are protected.
  • Exceptions have compensating controls.