ACC-01: Identity & Authentication
Objective
Ensure all users are uniquely identified and authenticated using strong, phishing-resistant methods.
Description
All access to systems requires authentication using WebAuthn/passkeys or SSO with MFA. Password-only authentication is not permitted for any production systems.
Implementation Details
User Authentication: Okta or Google Workspace for SSO with MFA required. WebAuthn/passkeys enforced for all users. AWS IAM Identity Center for cloud access.
No Passwords: No service account passwords - use IAM roles or workload identity instead.
Access Methods: SSO login for all SaaS tools. AWS access via SSO only (no long-lived credentials). GitHub protected by SSO + WebAuthn. API keys rotated every 90 days.
Examples
- All employees use Yubikeys for WebAuthn authentication
- AWS access requires SSO through Okta with MFA
- Password-only authentication disabled for all production systems
- Service accounts use IAM roles instead of credentials
Audit Evidence
- SSO configuration showing MFA enforcement
- User directory with MFA enrollment status
- AWS IAM policy requiring SSO
- Access logs showing authentication methods
Framework Mapping
SOC 2
- CC6.1 ^[Strong authentication (MFA, WebAuthn) implements logical access security software to protect information assets]
- CC6.2 ^[SSO with MFA ensures users are registered and authorized before system access is granted]
- CC6.3 ^[Access removal on termination enforced through centralized SSO deprovisioning]
GDPR
- Article 32 ^[Multi-factor authentication and phishing-resistant methods are technical measures to ensure security of processing]
- Article 5 ^[User authentication supports accountability principle by ensuring accurate attribution of data processing actions]
Referenced By
This section is automatically generated by make generate-backlinks. Do not edit manually.
Standards:
Processes:
Policies:
Charter: