Authentication Best Practices: Passwords, MFA & SSO
Authentication is how your system verifies that users are who they claim to be. Weak authentication is responsible for the majority of account compromises. This article explains the standards we implement.
Password Standards
- Minimum length over complexity: NIST guidelines (2017) recommend minimum 8–12 characters with no mandatory complexity rules — length is more important. We recommend 12+ characters.
- Breach detection: We integrate with Have I Been Pwned (HIBP) to check passwords against known breached credential databases — blocking passwords that are known to attackers.
- Secure storage: Passwords are never stored in plain text. We use bcrypt, Argon2, or PBKDF2 with appropriate work factors.
- Account lockout: Repeated failed login attempts trigger temporary lockout or CAPTCHA to prevent brute force attacks.
Multi-Factor Authentication (MFA)
MFA requires users to prove identity through two or more factors: something they know (password), something they have (phone/authenticator app), or something they are (biometric). We implement MFA using TOTP (Time-based One-Time Password) apps (Google Authenticator, Authy) or SMS codes where TOTP is not practical.
Single Sign-On (SSO)
SSO allows users to authenticate once (e.g. with Microsoft, Google, or an enterprise identity provider) and access multiple systems without separate credentials. We implement SSO using OAuth 2.0 and OpenID Connect — the industry standards.