Password Policy and MFA
1) Objectives and scope
The goal: to reduce the risk of compromising the accounts of employees/partners and players, to ensure compliance with internal security standards and regulatory requirements.
Coverage: all corporate accounts (SSO/IdP), admin panels, payment and KYC consoles, service/bot accounts, as well as user accounts of players.
2) Basic principles
Phishing-resistant by default: FIDO2/WebAuthn ≥ TOTP ≥ Push ≥ SMS/e-mail OTP (the latter - only as a fallback).
Least Privilege + JIT: Privileges are granted minimally and temporarily, MFA is mandatory upon promotion.
Passwords as last resort: emphasis on passphrases and password managers; prohibition of "memorable" short passwords.
Security by Default: MFA is enabled by default; for critical actions - re-auth.
Observation: all authentication/application/reset events - in audit logs.
3) Password/Passphrase Requirements
3. 1 Employees/admins
Format: pasphrase ≥ 14 characters, spaces are allowed; "complexity" requirements like 'A1!' Are prohibited - instead, leak checking (have-I-been-pwned-style locally/via API hash).
Reuse: prohibition of reuse of the last 10, prohibition of corporate password for external services.
Rotation: only if compromised/at risk; forced periodic change - does not apply (to avoid weak passwords).
Storage: only in the corporate password manager; Prohibit local files/browser autosaves outside MDM profiles.
3. 2 Players
Minimum 10-12 characters or passphrase generator; visual indication of force; block of popular password lists.
Enable "show password" and "insert from manager"; do not impose non-standard restrictions (emoji/characters - you can).
4) Hashing and secrets
Algorithm: Argon2id (memory ≥ 256 MB, iterations ≥ 3, parallelism ≥ 1); let bcrypt (cost ≥ 12) be legal.
Salt: unique 16 + bytes per write. Pepper: A system secret in HSM/KMS.
Update: when logging in, legal hashes are transparently "re-hash" to the current profile.
Service keys/API tokens: not "passwords" - manage through a secret manager, rotation on a schedule and in case of incidents.
5) MFA: Factors and Priorities
A must:- backup codes (10 pcs., disposable), offline storage;
- MFA-enforcement: for admin access and payment actions without exceptions;
- Number-matching in push, one-click agree.
6) Sessions policy and re-auth
Duration: web 12 h (interactive), admin console 8 h, critical panels 4 h.
Idle timeout: 15-30 min for admins.
Re-auth with MFA: when paying/changing details/changing e-mail/MFA/issuing API tokens.
Device binding: MDM/registered device for employees; for players, remembering trusted devices with a risk score.
7) Protection against authentication attacks
Credential stuffing: IP/device/user-based rate-limits, security delays, behavioral analysis, leaked password verification.
Brute force: progressive delays/captcha after N failures; soft locks (temporary), no long lockout for players.
Password spreading: detection by anomalies (many accounts with one password).
MFA-fatigue: push request limit, number-match, user notifications.
Bot/anti-automation: WebAuthn preferably behavioral signals, TLS-fixation, mTLS for admin panels.
8) Procedures (SOP)
8. 1 Employee onboarding
1. SSO account via SCIM;
2. issuance of FIDO2 key (minimum 2: main + standby) and TOTP;
3. Installing a password manager
4. proof of training (phishing, MFA).
8. 2 Device loss/MFA reset
1. Self-report through the portal → temporary blocking of sessions;
2. document verification + confirmation via supervisor;
3. release of new factors;
4. 30-day log audit.
8. 3 Break-glass (emergency access)
Recovery only; factor: HSM-stored master token + second approver; ≤ time 30 min; full recording of the session; post-review Security + DPO.
8. 4 Reset player password
Channel: e-mail/phone, one-time link ≤ 15 minutes; after reset - mandatory MFA setting at next login (soft compulsion with bonus/motivation).
9) Rules for different categories of accounts
9. 1 Employees/Vendors
WebAuthn + TOTP is required; banning SMS-MFA.
Access to admins only from MDM devices/corp VPN; JIT on privilege escalation.
Prohibition of local "shared" accounts; named only.
9. 2 Players
MFA soft-forced: motivational banners, inclusion bonuses; hard - at high-risk (payments/change of details).
Accessibility support: key phrases/screen readers, fallback channels.
9. 3 Service Accounts/APIs
No passwords; mutual authentication only (mTLS, OIDC client-creds, signature of webhooks).
Keys in the secret manager; rotation and audit.
10) Integration with IdP/SSO
Central IdP (OIDC/SAML); RBAC as code.
Adaptive MFA: amplify factors by risk signals (geo/new device/anomalies).
SCIM-provisioning/de-provisioning; offboarding ≤ 15 min after dismissal.
11) Logging and auditing
События (аудит-обязательные): `LOGIN_SUCCESS/FAIL`, `MFA_ENROLL/VERIFY/FAIL`, `PASSWORD_RESET_REQUEST/COMPLETE`, `MFA_RESET`, `DEVICE_TRUST_ADD/REMOVE`, `BREAK_GLASS_START/END`, `ADMIN_LOGIN`, `RISK_UPGRADE`, `TOKEN_ISSUE/REVOKE`.
Copy in WORM, signature/hash chain; binding to 'trace _ id', 'actor _ id', 'purpose'.
12) Metrics and KPI/KRI
MFA adoption (employees): 100% WebAuthn, 100% TOTP as reserve.
MFA adoption (players): ≥ 30-50% in 6 months (depending on the market).
Compromised logins: 0; the share of attempts with leaked passwords blocked on the perimeter is 100%.
Avg time to offboard: ≤ 15 мин.
Push fatigue alerts/1000 MAU: ↓ MoM.
Password reset success rate: ≥ 98% without contacting support.
Re-auth coverage: 100% for high-risk operations.
13) Policy examples (snippets)
13. 1 Length and leak checking policy (pseudo-YAML)
yaml password:
min_length: 14 allow_spaces: true banned_lists:
- top100k_common
- organization_keywords breach_check: enabled # k-anonymity lookup rotation: on_compromise_only13. 2 MFA-enforcement
yaml mfa:
required_roles:
- admin
- payments
- aml
- kyc required_factors:
- webauthn fallback:
- totp disallowed:
- sms13. 3 Re-auth for sensitive actions
yaml reauth:
actions:
- change_payout_details
- approve_withdrawal
- change_email
- manage_mfa ttl_minutes: 514) Relationship with other controls
RBAC/ABAC/SoD: MFA is mandatory for role assignment/change, JIT lifts and'APPROVE _ 'operations.
Logs and log storage: see "Audit logs and access traces," "Log storage policy."
Incidents: if a compromise is suspected - immediate password + token reset, session recall, forensics (see "Procedures for data leakage").
15) Checklists
Before you release authentication
- WebAuthn is enabled, TOTP as backup, backup codes are issued.
- Checks for leaked passwords and lexical lists.
- Rate-limits and credential stuffing protection.
- Re-auth for sensitive operations.
- Logs/audits and alerts in SIEM.
Quarterly
- MFA acceptance analytics; A/B motivators for players.
- A review of push-fatigue policies.
- Service key rotation, pepper/KMS check.
- Exercises: FIDO2 key loss, TOTP failure, break-glass.
16) Implementation Roadmap
Weeks 1-2: authentication audit, enable WebAuthn and TOTP, configure breach-check, update password policy (passphrase).
Weeks 3-4: implement re-auth for high-risk, number-matching in push, SIEM alerts; distribute FIDO2 keys to employees.
Month 2: adaptive MFA (risk signals), full-featured password manager, self-service reset portal, backup codes.
Month 3 +: A/B MFA promotion to players, periodic drills, UX optimization and MFA-fatigue reduction, KPI reporting automation.
TL; DR
Strong authentication = pasphrases + WebAuthn (required) + TOTP (reserve) + re-auth for risky actions, stuffing/brute protection, strong hashing (Argon2id), password manager and auditing of each step. This reduces account compromises, simplifies compliance and hardly rubs UX if done correctly.