# 3. User Access Control The goal of this control is to ensure user accounts are assigned to authorised individuals only, and to employ [principles of least privilege](#user-content-fn-1)[^1]. This control expects organisations to: * Have a process for user account creation and approval. * Authenticate users before allowing access to devices or systems with sufficiently strong credentials. * Remove or deactivate user accounts that are no longer required. * Enable MFA[^2] where possible. * Have separate accounts for performing only administrative activities. Accounts where general user activities are performed (browsing the internet, emailing, etc.) should not be used for anything administrative. * Remove or disable administrative and special privileges when they are no longer needed. #### Password-based authentication * Passwords are protected against brute-forcing[^3] with at least one of the following protections: * Activating MFA[^2]. * Configuring wait times between attempts. These should allow no more than 10 guesses in 5 minutes. * Locking accounts after no more than 10 unsuccessful attempts. * Password quality is managed with at least one of the following protections: * Activating MFA[^2]. * A minimum password length of at least 12 characters, with no maximum length restrictions. * A minimum password length of at least 8 characters, with no maximum length restrictions and use automatic blocking of common passwords using a deny list. * Employees are supported and encouraged to choose strong passwords for their accounts by: * Training employees on how to avoid common and weak passwords by avoiding using discoverable information. This could include training employees to use a password manager's in-built password generation. * Encouraging employees to use longer passwords. * Providing employees and training them on how to use secure storage for passwords, e.g. a password manager. * Not enforcing regular password expiry. * Not enforcing password complexity requirements. * There is a process to enforce password changes if it is suspected a password or account has been compromised. #### Multi-Factor Authentication (MFA) As well as providing extra protection for passwords that are not protected by other technical controls, multi-factor authentication should always be used to provide additional protection to administrative accounts and accounts that are accessible from the internet. The password element of the multi-factor authentication approach must have a password length of at least 8 characters with no maximum length restrictions. There are four types of additional factors that may be considered: * A managed/enterprise device * An app on a trusted device * A physically separate token * A known or trusted account Additional factors should be chosen so that they are usable and accessible. This may require user testing to verify if a factor is suitable for the users. [^1]: Users should have access to only the specific data, resources and applications needed to complete a required task. [^2]: Multi-factor authentication [^3]: An attack where an attacker systematically checks many possible passwords until the correct one is found.