Authentication is a critical part of any system so you should always employ correct and safe practices. Below are some guidelines to make your authentication system more resilient:
- "Re-authenticate users prior to performing critical operations"
- "Use Multi-Factor Authentication for highly sensitive or high value transactional accounts"
- "Implement monitoring to identify attacks against multiple user accounts, utilizing the same password. This attack pattern is used to bypass standard lockouts, when user IDs can be harvested or guessed"
- "Change all vendor-supplied default passwords and user IDs or disable the associated accounts"
- "Enforce account disabling after an established number of invalid login attempts (e.g., five attempts is common). The account must be disabled for a period of time sufficient to discourage brute force guessing of credentials, but not so long as to allow for a denial-of-service attack to be performed"