April 6, 2017 by AJ Kumar


Authentication is supposedly deemed to be the first line of defense in software’s, requires a combination of pass key from the end-user to manipulate the application further. Hence, the organization ought to incorporate the befitting authentication measures from grass root level in the form of policies into their logistics infrastructure to tighten the security of software from the malicious intentions in a bid of illegitimate or unauthorized subversion that could eventually lead to divulging or misusing crucial assets of an organization. As a rule of thumb, more the authentication system of an organization will be fortified (ensure ultimate protection), lesser the possibility of illegal infiltration.

User Allotment

The new account request from end user must be first scrutinized thoroughly before allotment a user allotment in the organization. Moreover, must be logged for the off records. Managers must determine whether the request is duly entitled or not for new account creation.

Password Creation

Passwords are the largest subsets of authentication policies. Passwords should appear as a part of meaningless message or phrases. Passwords must be chosen very carefully, with no words in the dictionary, DOB, or name in any form. Rather, it should be a good combination of alphanumeric 8-10 character long and remain in encoded form. Besides, it is strongly recommended that passwords never be noted down anywhere in physical form to sustain concealment.

Access Privilege

Access privilege is provisioned to users either organizationally or by end-user according to duties and responsibilities. It would be erroneous to give access to corporate data to an end user whether they request to elevate privileges for their own account. Higher management should, therefore, ensure not assign privileges beyond the designation.

Two-Factor Authentication

It is important to note that organization never judge the entitlement of a user by username and password. Instead, a two-factor authentication mechanism should be employed which include token, PIN or OTP to add an extra layer of defense on the server that contains critical information. This mechanism ascertains uniquely identification of an individual based on possession of dongle, PIN, etc.

Simultaneous Login

The administrator must ensure prohibition of more than one login session simultaneously on the server. However, it could be exceptional in some special cases but must also properly logged for records during such request. Accounts should be configured in a way to disallow multiple login session for all users automatically.

Inactive Accounts

The administrator must dictate a policy for an unused account, not let it operated after a specific time (disable immediately) to reduce the risk of dormant accounts being exploited by unauthorized individuals. Any legal user on the other hand, whose account is closed or disabled in this manner, may have reactivated by provided valid documents.

Unattended Session

There is a policy to automatically log off the current opening login session that is left unattended for a specific period to ensure idle session do not become a potential means to gain unsanctioned access.

Password Reset

When a user has forgotten his password or unable to log in due to deactivation of his account and immediate requires a new one password to continue, then it must ensure that the new password is being created by that end user who owns it, by employing two-factor authentication to confirm his identity duly.

Password Reuse

It is a fair practice not to allow the last three or more previously used password may not be reused to become it harder for the hackers to guess it. It is often noticed in financial portals where the system enforces this policy.

Password Expiration

Hackers usually reveal password by performing dictionary or other password exploitation attack resorting to advance tools in which a list of passwords is inbuilt. Although, they could even not successful in achieving their feat as due to not having your password on their list. However, sooner or later, they may crack it because their guess list updates day by day. So, it is strongly recommended to have a password usage police till a specific period and upon the expiration that period, system trigger a prompt to the user for updating the password.

Login Message

The login message flashing associates regarding reminding the user about the information stored on the computer is the company asset and stipulates the end user must abide by the company policy. So, the administrator must dictate all the computers that connect to the network must display a message before connecting to the mainframe.

Failed Login

Login attempts to server typically logged by the administrator for detail analysis of security breach and further blocked that user for the day in the wake of unsuccessful attempts. However, a system account must be automatically disabled to reduce the risk of unsolicited access. However, on the hand, a legitimate user whose account blocked in this manner, may have it reactivating by displaying valid proof of identity and job responsibly.

Dormant Screen Lock

Computers typically left unattended must be set up to lock the screen with password or passphrase after a specific period of inactivity to avoid unsolicited access of the computer during the absence of the owner.


This article overviewed the essence and subsets of authentication policy which entails valid credentials of end users must be substantiated before given him access to the critical server, should apply by an organization to properly validate the identification of both companies and end users to protect vital resources to malicious hands.

Posted: April 6, 2017
Articles Author
AJ Kumar
View Profile

AJ Kumar is a Cyber security evangelist, has a great passion for open source programming, IT security, bug detection, penetration testing, and assembly language on diverse platforms including Windows and Linux. He can be reached via ajkumarhv[at]gmail[dot]com;

Notice: Undefined index: visitor_id12882 in /www/resourcesinfosecinstitute_601/public/wp-content/plugins/infosec-user-info/infosec-user-info.php on line 117