ISO/IEC 27001 Control 8.5: Secure authentication


Secure authentication technologies and procedures should be implemented based on information access restrictions and the topic-specific policy on access control.

Necessity of MidPoint

MidPoint is optional for implementation of this control.

Implementation of this control without midPoint is feasible. However, midPoint provides considerable advantages for implementation of this control, making the implementation more efficient and reliable.

Implementation Overview

Although midPoint does not deal with most authentication aspects directly, it is an important system to support authentication policies indirectly.

Implementation Details

MidPoint is instrumental in setting up flexible, identity-based authentication policies, such as requiring all users with privileged access to use multi-factor authentication. MidPoint does that in close cooperation with single sign-on (SSO) and access management (AM) systems, using identity connectors, provisioning and synchronization mechanisms to manage the SSO/AM policies. Authentication policy rules can be based on user roles (RBAC) or information classification schemes, as suggested by the control description. Reporting capabilities and dashboards can be used to analyze authentication policies applied to users and to identify violations or possible improvements. Moreover, midPoint has a built-in flexible authentication mechanism, allowing various configuration of authentication mechanisms when users log into midPoint user interface. There is a possibility to configure flexible authentication flows, including multi-factor authentication.

Implementation Notes

  • MidPoint internal flexible authentication mechanism is not meant as a central authentication service for the organization. Central authentication is a functionality of single sign-on (SSO) and access management (AM) systems, it is not responsibility of identity governance (IGA) systems such as midPoint. MidPoint internal authentication mechanism is meant primarily for use in alternative authentication scenarios, such as password reset and identity recovery scenarios. It is also useful for emergency authentication, e.g. in cases where central authentication mechanism is not available or it is compromised.

  • Control description suggests displaying a notice at login time, stating that the system should be accessed only by authorized users. We do not consider such notice to be effective, as the mere fact of engaging in a log-in procedure suggests that the system is meant to be accessed by authorized users only. Moreover, we tend to believe that such a notice may act as a visual pollution, distracting the user from paying attention to more important aspects of authentication, such as tell-tale signs of a phishing attempt.


Vast majority of authentication requirements are handled by single sign-on (SSO) and access management (AM) systems, acting as authentication servers. MidPoint does not deal with most authentication aspects directly. However, midPoint is essential in setting up, maintaining and reporting authentication policies, such as setting requirements for multi-factor authentication for users with privileged access.

Was this page helpful?
Thanks for your feedback