Secure authentication

The organization has predefined authentication methods that employees should prefer when using data systems.

When using cloud services, the user can often freely decide how he or she authenticates with the service. A single centralized authentication account (such as a Google or Microsoft 365 account) can help close a large number of access rights at once when the main user account that acts as the authentication method is closed.

Systems containing important information should be logged in using a multi-authentication logon, also known as either “two-factor”, “multi-factor” or “dual factor” authentication.

For example, when first logging in with a password, a one-time authentication code can also be sent to the user as a text message. In this case, he has been identified by two factors (knowing the password and owning the phone).

Biometric identifiers (eg fingerprint) and other devices can also be used for two-stage authentication. However, it is worth considering the costs and implications for privacy.

We use strong encryption during password transmission and storage in all services we develop.

The system or application login procedure should be designed to minimize the potential for unauthorized access.

The login process should therefore disclose as little information about the system or application as possible so as not to unnecessarily assist an unauthorized user. Criteria for a good login procedure include e.g.:

• logging in does not reveal the associated application until the connection is established
• the login does not display help or error messages that would assist an unauthorized user
• logging in will only validate the data once all the data has been entered
• login is prevented from using fatigue attacks
• login logs failed and successful login attempts
• suspicious login attempts are reported to the user
• passwords are not sent as plain text online
• the session does not continue forever after logging in