Control 8.5 : Secure Authentication

Summary

Secure authentication technologies and procedures should be implemented based on information access restrictions and the topic-specific policy on access control. This ensures that the identity of any user or system attempting to access data is verified with high confidence.

Applicability

In-Scope: Mandatory for all organizations. It is the primary defense against unauthorized access and the most critical technical control in a modern security framework.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

Multi-Factor Authentication (MFA): Enforce MFA for all users via Entra ID Conditional Access, prioritizing phishing-resistant methods like Microsoft Authenticator (Push) or FIDO2 keys.
Passwordless: Transition high-risk users to passwordless authentication using Windows Hello for Business or the Microsoft Authenticator app.
Risk-Based Authentication: Enable Entra ID Identity Protection to automatically require a more secure authentication method or a password reset if a login attempt is flagged as high risk.

Evidence Checklist

Authentication Policy: Documented requirements for password complexity, MFA usage, and the use of modern authentication protocols.
MFA Adoption Reports: Screenshots from the Entra ID portal showing that 100% of users are registered and using MFA.
Sign-in Logs: Audit records showing successful MFA challenges and the remediation of blocked suspicious login attempts.

Practical Audit Advice

Here are some questions the auditor might ask:

Does the organization permit the use of weaker MFA methods like SMS or voice calls, and if so, how is this risk justified?
How do you ensure that legacy authentication protocols (which bypass MFA) are completely disabled across the tenant?
Can you demonstrate the process for a user to securely reset their authentication factors if they lose their mobile device?
How are administrative accounts protected with stronger authentication requirements than standard users?