Authentication information refers to data that verifies a user’s identity. This info proves you are who you say you are. The most common types are things you know, like a password; things you have, like a phone or a key fob; and things you are, like a fingerprint.
Examples
- Passwords: The secret word or phrase you type to log in.
- PINs: The short number you use for your debit card or phone.
- Security Questions: Questions like “What was your first pet’s name?”
- Biometrics: Using your body, like a fingerprint or a face scan.
- Tokens: A small device or a code sent to your phone.
Context
Imagine you want to get into your house. Your key is a form of authentication information because it proves you have permission to enter. Similarly, your password is a key for your digital accounts. For extra security, some systems need more than one key, like a password and a code from your phone. This is called multi-factor authentication (MFA).
Relevant ISO 27001 Controls
The following controls from the ISO/IEC 27001:2022 standard are related to authentication information:
- ISO 27001:2022 Annex A 5.17: Authentication Information: This control deals with how users prove who they are (e.g., with passwords or keycards)
- ISO 27001:2022 Annex A 5.15: Access control: This is the main control for managing access rights.
- ISO 27001:2022 Annex A 5.16:Identity Management: This covers the process of giving, changing, and removing user access.
- ISO 27001 Annex A 5.18: Access rights: This control focuses on setting up and reviewing user access to systems.
- ISO 27001 Annex A 8.2: Privileged Access Rights This is about controlling access for powerful accounts, like system administrators.