cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
alsalmone
Viewer

Best practice authentication requirements for customers

Hi all, I was wondering if anyone could help with this. I work for an organisation which is designing a new customer portal. We are looking at authentication requirements for customers depending on what sensitivity of data they are accessing (eg username and password for basic product info, MFA for bank details etc).

 

Is there any current advice or best practice I can review around this for customer access? There is plenty of advice and standards for staff accounts that we follow (eg Cyber Essentials says we should have MFA for all staff accounts so that's clear and is an obvious thing to do). I work in the UK and have checked the National Cyber Security Centre website but can't find anything customer specific there.

 

The reason I'm asking is we need to find a good balance between security and usability. Email step up authentication or SMS based MFA may be sufficient for customers, but we require authentication app MFA for staff. It would be helpful to have some research based advice to back up our choices.

2 Replies
JoePete
Advocate I


@alsalmone wrote:

 

Is there any current advice or best practice I can review around this for customer access? There is plenty of advice and standards for staff accounts that we follow (eg Cyber Essentials says we should have MFA for all staff accounts so that's clear and is an obvious thing to do). I work in the UK and have checked the National Cyber Security Centre website but can't find anything customer specific there.


I always have found OWASP a good place to start:
https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html

 

A lot of the advice out there tends to focus on the identification aspect - how do users manage their own credentials. Be sure to consider what happens on the backend with session management and so forth. I think that is where OWASP tends to shine because they look at security from a development standpoint, not just how do you direct users. You touch on the concern about customer usability. What is called "MFA" rarely fully qualifies as MFA. Since you are talking a mobile app, you might want to look into SIM card based authentication. Usability, especially for smartphone apps, can push compromises where you don't really use MFA or have some sort of session persistence where essentially the phone stays authenticated for an extended period of time. Don't overlook the aspect of authorization either. Maybe part of the solution to satisfy usability is to lock down what the customer mobile app can do or view or at least what happens without a more robust authentication factor(s). Good luck.

alsalmone
Viewer

thanks for the response!