Question: Is authentication and session management implemented using secure industry standards?
-
Objective — Why This Matters
Weak authentication allows credential stuffing and hijacking. Using standards like OAuth 2.0 and OpenID Connect ensures interoperable and hardened auth flows. -
Maturity Levels (0 – 5)
Custom login forms without security review.
Basic username/password with weak policies.
Central auth service using industry protocols.
MFA enabled for admin and user accounts.
Session lifetime management and revocation API in place.
Adaptive authentication with risk-based controls.
- How to Level Up
| From → To | Actions |
|---|---|
| 0 → 1 | Apply strong password policy and secure storage (Argon2id). |
| 1 → 2 | Implement OAuth 2.0 / OIDC for SSO. |
| 2 → 3 | Enable MFA and enforce per policy. |
| 3 → 4 | Introduce session revocation and timeout policies. |
| 4 → 5 | Adopt adaptive auth based on behavior signals. |
-
People / Process / Technology Enablers
People – Developers, IAM Admin.
Process – Auth design review, token lifetime management.
Technology – Keycloak, Auth0, FusionAuth. -
Evidence Required
Auth configurations, MFA policy, revocation test results. -
Metrics / KPIs
• percentage of accounts with MFA enabled
• number of auth failures detected per day
• average time to revoke compromised sessions -
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| Identity Provider | Keycloak | Full-featured OSS auth and MFA. |
| Password Hashing | Argon2id / bcrypt | Secure storage algorithms. |
| Monitoring | Wazuh / Grafana | Track auth failures and alerts. |
-
Common Pitfalls
Using custom crypto for token handling; storing passwords in plaintext. -
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO 27001 | A.5.15 / A.5.18. |
| NIST CSF 2.0 | PR.AC-1 / PR.AC-7. |
| CERT-In 2022 | MFA 2FA mandates. |
| NIRMATA Scoring | AS-Q04 ≥ Level 4 requires session management and revocation. |