Implement strong sign-in workflows

Implementing strong sign-in workflows is essential to protect your systems and data. Strong sign-in workflows help ensure that only authorized users can access your systems, reducing the risk of unauthorized access and potential security breaches.

What are strong sign-in workflows

Strong sign-in workflows involve a combination of techniques and technologies to verify a user's identity before granting access to systems. Strong sign-in workflows typically consist of something you know - such as a password, something you have - like a hardware token or smart card, and something you are - such as a fingerprint or facial recognition. Strong sign-in workflows include:

• Multi-factor authentication (MFA): Combination of one or more sign-in factors to verify a user's identity.
• Biometric authentication: Use of unique biological traits, such as fingerprints or facial recognition, to verify a user's identity.
• Adaptive authentication: Contextual authentication that adjusts the level of verification based on user behavior and risk factors.

Why implement strong sign-in workflows

Writing policies that follow least privilege ensures that an authorized user does not have access to systems or data they should not have access to. It does not, however, ensure that unauthorized users have not improperly gained access to credentials that allow authentication to those systems or data.

When you implement strong sign-in workflows, you add another layer of security by validating the identity of users before granting access. When you combine strong sign-in workflows with centralized identity management, you have an authentication model that ensures authorized users have access to systems.

HashiCorp tools and services like the HashiCorp Cloud Platform, Vault, and HCP Terraform support both centralized identity management and strong sign-in workflows using multi-factor authentication. Other tools like Nomad and Boundary support multi-factor authentication through integration with third party identity providers like Okta.

HashiCorp Consul service mesh allows you to securely connect services across multiple runtime platforms. Consul supports mutual Transport Layer Security (mTLS) authentication, which provides strong service-to-service authentication within the service mesh.

HashiCorp resources:

• Multi-factor authentication with HCP
• Enable multi-factor authentication in Vault
• Configure two-factor authentication in HCP Terraform

External resources:

• What is MFA
• Multi-factor authentication
• NIST Digital Identity Guidelines

Next steps

Following these documents in order ensures a logical progression through the key concepts and best practices, helping you build a strong foundation to build your identity and access management program.

• Define access requirements
• Grant least privilege
• Create permissions and guardrails
• Centralize identity management
• Implement strong sign-in workflows (this document)
• Use dynamic credentials
• Manage access lifecycle

In this section of Identity and access management you learned why you should use strong sign-in workflows in conjunction with centralized identity management and policies that follow the principle of least privilege. Identity and access management is part of the Secure systems pillar.