ISO/IEC 27001 Control 5.17: Authentication information
Control
Allocation and management of authentication information should be controlled by a management process, including advising personnel on the appropriate handling of authentication information.
Necessity of MidPoint
MidPoint is necessary to implement this control properly.
MidPoint features and capabilities are essential for efficient implementation of this control. While it is theoretically possible to implement this control without a comprehensive IGA platform in place, the implementation is likely to be inefficient, costly, slow and unreliable in the long run. MidPoint can make implementation of this control efficient and reliable.
Implementation Overview
MidPoint is designed to manage authentication information, especially passwords.
Implementation Details
MidPoint is built to distribute authentication information to target systems, making sure that the passwords are strong and up-to-date. MidPoint self-service user interface can be used to manage authentication information by users, including interactive indication of password strength. Password complexity and lifetime policies can be specified, enforced and they can also be used to generate strong passwords. MidPoint can be used to quickly change password or deactivate accounts on all connected systems, in an event of password compromise. Reporting and dashboarding functionality can be used to identify users with the largest number of failed log-in attempts, users with expired passwords, etc. Events related to change of authentication information are recorded in the audit trail.
Implementation Notes
-
This control is mostly about password management, it does not deal much with non-password authentication or credentials. ISO/IEC 24760 is referenced for that.
-
MidPoint supports flexible authentication features, enabling configuration of several authentication mechanisms in a very flexible way. Even though this feature can be used to set up multi-factor authentication and similar advanced authentication scenarios, this is not the primary purpose of flexible authentication features. It is unlikely that a midPoint user interface would be an initial entry point to an organization's systems, therefore the applicability of such an approach is limited. The primary purpose of the flexible authentication feature is to support special-purpose scenarios for identity lifecycle and credential management purposes, such as set-up of initial password, password reset and identity recovery.
-
MidPoint relies on cooperation of an access management (AM/SSO) system to implement most of the authentication and enforcement capabilities. MidPoint can manage authentication information, such as passwords or passkeys. However, midPoint cannot efficiently deal with authentication itself, or aspects of credential management related to authentication, such as forcing password change on the next log-in. This functionality has to be implemented in close cooperation with the authentication system.
-
Management of initial passwords and self-service password resets do not have any ideal solution. There are numerous trade-offs and compromises to be made. The solution has to be custom made for every organization or environment. Please see the discussion document linked below for more details.
Rationale
MidPoint can improve authentication level in a company by centrally enforcing password policy thanks to its password management.
Documentation
| Version | Title | Description |
|---|---|---|
| 4.9 | Initial Password Management Discussion | Discussion of practices for establishing initial passwords and password reset |
| Development | Initial Password Management Discussion | Discussion of practices for establishing initial passwords and password reset |
| 4.8 | Initial Password Management Discussion | Discussion of practices for establishing initial passwords and password reset |