Why these three basics matter
Most business systems fail security because they treat it as “login only”. Real security is: strong authentication (MFA), controlled authorization (RBAC), and evidence (audit trails).
Table of contents
1) Accounts & authentication
Authentication proves identity. Your baseline should include: strong password policy, safe sessions, and protection against brute force.
Minimum requirements
- Password hashing (bcrypt/argon2) and never store plain passwords.
- Rate limiting on login attempts (lockout / cooldown).
- Secure cookies (HttpOnly + Secure + SameSite).
- Session timeout and “remember me” controlled.
2) MFA options
MFA (Multi-Factor Authentication) requires something you know (password) plus something you have (phone/app/security key).
Recommended (best)
- Authenticator app (TOTP): Google Authenticator, Microsoft Authenticator, Authy.
- Passkeys / security keys (when available): strongest phishing resistance.
Acceptable (fallback)
- SMS OTP: easy for users but weaker against SIM swap.
- Email OTP: better than nothing but depends on email security.
MFA policy recommendation
- Require MFA for admins and finance roles.
- Allow optional MFA for all users (encourage).
- Provide recovery codes and an admin recovery process.
3) Roles & permissions (RBAC)
RBAC (Role-Based Access Control) prevents “everyone can do everything”. Build roles around responsibilities, and apply least privilege.
Simple RBAC model
| Role | Can do | Cannot do |
|---|---|---|
| Operator | Create/edit own records, view own history | Approve, manage roles, export sensitive reports |
| Supervisor | Approve within scope, assign tasks, view team status | Change financial settings, delete audit logs |
| Finance/Admin | View financial reports, export, reconcile | Edit operational approvals without policy |
| System Admin | Manage roles, MFA policy, system configuration | Be the only approver for money actions |
4) Audit trails (who did what, when)
Audit trails are business evidence. They help investigations, compliance, and internal controls. For business systems, audit trails are non-negotiable.
What to log (minimum)
- Authentication events: login, logout, failed login, password change, MFA enable/disable.
- Permission changes: role assignment, privilege updates.
- Sensitive actions: approvals, exports, deletes, refunds, accounting posting.
- Record changes: before/after values for key fields.
| Field | Example |
|---|---|
| actor_user_id | 123 |
| action | approval.granted |
| entity | invoice:INV-2026-00091 |
| ip / user_agent | 203.x.x.x / Chrome |
| before / after | status: pending → approved |
| request_id | trace-uuid |
5) Tamper-evident logs
Tamper-evident logs do not magically stop a powerful attacker, but they make unauthorized changes detectable. That’s critical for finance and compliance.
Practical approach
- Write logs to append-only storage (no updates/deletes).
- Restrict DB permissions: app can insert logs but not delete.
- Export or stream logs to a separate system (optional).
Stronger approach
- Hash chaining: each log entry includes hash of previous entry.
- Daily signed snapshots of audit logs.
- Immutable storage / WORM policies (if available).
6) Implementation checklist
- ✓ Enable secure cookies + CSRF protection.
- ✓ Add rate limits on login + password reset.
- ✓ Require MFA for admin & finance roles.
- ✓ Implement RBAC with least privilege.
- ✓ Create audit logs for sensitive actions + changes.
- ✓ Use append-only or tamper-evident logging strategy.