Small and Medium Organizations: Use Strong User Authentication
By using strong user authentication to grant access to information systems and devices, your organization can improve its overall cyber security posture. The goal is to maximize both usability and security wherever possible.
What is strong user authentication?
One of the most common ways for cyber threat actors to gain access to information systems is by guessing passwords. This works because it can be difficult to choose and remember multiple complex passwords for various devices and accounts.
We recommend using passphrases. A passphrase is a memorized phrase consisting of a sequence of mixed words, numbers, and punctuation. Passphrases should be at least 4 words and 15 characters in length.
Your organization should also implement a password policy that outlines requirements (e.g. when a password should be changed). You may also want to consider using password managers to help manage multiple passwords or generate complex passwords. However, there are risks associated with using password managers, and they should never be used to store passwords for sensitive accounts (e.g. administrative accounts, banking credentials).
Two-factor (or multi factor) authentication strengthens your device and account security because at least two methods of authentication, something you know and something you own (e.g. a password and a token, a password and a fingerprint) are required to log in. Whenever possible, organizations should use two-factor authentication.
Recommendations for your organization:
- Implement a password policy
- Use passphrases for passwords
- Implement two-factor authentication wherever possible