Image showing access control arrangements in a UK office

Access Control, Strong Passwords and Multi-Factor Authentication

Access Control in Brief

Identity, authentication and authorisation - who is the user, can they prove it, and what are they allowed to do? Strong passwords and MFA, role-based access and timely de-provisioning of leavers cover most of the ground.

Access Control, Passwords and User Authentication

Access control is the foundation of information security. Almost every other control depends on it - if the wrong people can reach information they should not have, the rest of the security model unravels. The principle behind access control is simple: people should be able to reach the information and systems they need to do their job, and nothing more.

In practice access control involves several layers working together. Identity confirms who someone is, authentication confirms they are who they claim to be, authorisation defines what they are allowed to do, and access logging records what they actually did. Each layer matters - weak authentication undermines strong authorisation, and missing logs make it hard to investigate when something goes wrong.

Managing User Accounts and Access Control

Every individual who needs access to information systems should have their own account. Shared accounts cause problems for accountability - it becomes impossible to know who did what - and they cause problems for access control because revoking access when someone leaves means resetting the credentials for everyone still using the account.

The lifecycle of an account has three points where access control most often goes wrong: when someone joins, when their role changes, and when they leave. Joiners often end up with more access than they need because the easiest thing is to copy the permissions of someone in a similar role. Movers keep their old permissions when they take on new ones, accumulating access over time. Leavers sometimes keep access for days or weeks after their last day.

The practical fix for all three is a defined onboarding, transfer and offboarding checklist tied to the access control register. New starters get the access they need for their actual role. Movers have their previous access reviewed and trimmed back. Leavers have their access deactivated by the end of their last working day, with the records kept for any later access requests.

Passwords and Multi-Factor Authentication

The traditional advice to require frequent password changes has been overtaken by current guidance. The National Cyber Security Centre now recommends that passwords are changed only when there is reason to believe they have been compromised, and that organisations focus instead on requiring strong, unique passwords supported by multi-factor authentication. The reasoning is that frequent forced changes lead to predictable patterns - "Password1", "Password2" - and to written-down passwords that are easier to steal than to crack.

The current practical recommendations are: passwords of reasonable length and complexity (at least 12 characters, mixing types is helpful but not essential), no reuse across systems, no sharing, password managers permitted and encouraged for keeping unique passwords manageable, and multi-factor authentication required wherever it is supported.

Multi-factor authentication is the single most effective improvement most organisations can make to their access control. Even a stolen or guessed password becomes much less useful if the attacker also needs a second factor - typically a code from an authenticator app, a hardware token, or in less secure cases an SMS. Email accounts, cloud services, banking and any externally-accessible system are the highest priorities.

Privileged and Administrative Access Control

Administrative accounts deserve particular attention because they can do the most damage if compromised. The recommended approach is to keep administrative privileges on separate accounts from day-to-day user accounts, so that the administrator only logs in with elevated rights when actually performing administrative work. This limits the exposure of the privileged account and makes it easier to detect misuse.

Privileged access should also be subject to additional controls: stronger authentication requirements, more frequent review, and logging of administrative actions. Where possible, just-in-time access - where elevated rights are granted for a defined task and revoked afterwards - is preferable to standing administrative privileges.

Reviewing Access Rights

Access rights need ongoing review even where the joiner-mover-leaver process is working well. People take on temporary projects, departments reorganise, systems are added and decommissioned. A periodic review - typically annual for general user access and more frequent for privileged access - catches the drift and keeps the access list aligned with what people actually need.

The review is also where insider threat risk gets managed. Most insider incidents are not malicious - they are accidental misuse, or use of access that should have been removed earlier. Periodic review combined with separation of duties (so that no single person can complete a sensitive process from start to finish) addresses most of the practical risk.

Access control is one of those things where the basics are not glamorous but they are what actually protects the organisation. One account per person. Strong unique passwords. Multi-factor authentication everywhere. Access removed when people leave. A list of who has access to what. None of this is exciting, but it is what stops the most common attacks from getting anywhere.

The trap is thinking that a fancy system replaces the basics. It does not. The fanciest system in the world is no use if the leaver from three months ago still has their account.

When I audit access control I ask for the list of accounts on the main systems and compare it to the current staff list. The number of accounts that should not be there is usually higher than the organisation expects. I also look at how privileged accounts are managed and whether the people using them log in with their elevated rights for routine work, which is a common finding.

The other thing I check is the leaver process. I will pick a recent leaver at random and look for evidence that their access was disabled on or before their last day. If the records do not exist, the controls are not really in place regardless of what the policy says.

We tightened things up last year after an internal audit found two accounts still active for people who had left more than six months earlier. We now have a checklist that runs the day before someone leaves, and the IT manager signs off on the deactivation as part of the leaver process.

Practical Compliance Guidance

The IMS1 Manual covers access control as part of the wider information security management section, alongside the controls that govern who has access to premises, systems and information overall.

The following alphaZ documents support a practical approach to access control, passwords and user authentication.

alphaZ document	How to use it
ISO 27001 Toolkit	Full document set for setting up an information security management system, including the access control and password policies.
P-24 Access Control Policy	Policy covering the principles for granting, reviewing and revoking access to information systems and physical areas.
P-27 Password Policy	Policy covering password requirements, secure storage, multi-factor authentication and how compromised passwords are handled.
P-89 User Access Management Policy	Policy covering the joiner, mover and leaver process and how user accounts are managed across their lifecycle.
ER10 IT Equipment Logins Register	Register listing IT equipment, the accounts assigned to it and the access rights held. Used to support periodic access reviews.
PP-8-100 Information Security Policy Procedure	The master policy that sets out the access control sections referenced from the standalone policies above.

Note - all the above files can be downloaded with an alphaZ subscription.

Frequently Asked Questions

Is it really necessary to ban shared accounts?

In nearly all cases, yes. Shared accounts make it impossible to attribute actions to individuals, which breaks accountability and makes incident investigation considerably harder. Some legacy systems do not support per-user accounts and a shared account is unavoidable, but in those cases the use of the account should be logged separately, the password should change whenever any of the users with knowledge of it leaves, and the account should be a candidate for replacement when the system is next upgraded.

How often should passwords actually be changed?

Current NCSC guidance is that routine forced password changes are no longer recommended. Passwords should be changed when there is reason to believe they have been compromised - for example after a known breach of the system, or when a privileged user leaves. Forced changes on a fixed schedule tend to produce predictable patterns and weaker passwords overall. The exception is where contractual or regulatory requirements still require fixed-period changes, in which case those requirements take precedence.

Are password managers safe to use?

For most organisations and individuals, password managers are safer than the alternative - which is reusing passwords or writing them down. They allow each system to have a unique strong password without anyone needing to remember it. Mainstream password managers from reputable providers are trusted by the NCSC for general use. Where a password manager is permitted, the policy should set out which products are approved and what controls apply to the master password and to the recovery process.

What about multi-factor authentication for SMS?

SMS-based multi-factor authentication is better than no second factor at all, but it is the weakest of the common options because SMS can be intercepted or redirected through SIM-swap attacks. Where a system supports it, an authenticator app or hardware token is preferable. SMS is acceptable as a second factor for lower-risk systems and for users who cannot use other methods, but high-value accounts - administrators, finance, anything with bulk personal data - should use stronger options.

UK Legislation

The following UK legislation is directly relevant to access control. Organisations outside the UK should identify the equivalent legislation applicable in their jurisdiction.

Further Resources