Authentication & Credential Security Controls

eXpress badging® enforces strict authentication, password management, and session control policies across the Veonics® Portal and internal systems. All practices are aligned with OWASP recommendations and NIST CSF 2.0.

🔑 Public vs. Restricted Access

Q: Does the website design distinguish between public and restricted areas of the website?

  • Answer: Yes

  • Public expressbadging.com content (marketing site) and portal.veonics.com restricted content (Veonics® Portal login) are clearly separated.

  • Scoped data requires authenticated login.

📄 Supporting Documentation: Security Roles & Responsibilities in the Veonics Ecosystem


👤 Least-Privilege Service Accounts

Q: Does the application use least-privileged service accounts to connect resources such as databases, directory services, and others?

  • Answer: Yes

  • Service accounts operate under least-privilege IAM roles in AWS.

  • Access is reviewed quarterly during EOS Scorecard reviews.

📄 Supporting Documentation: Need-to-Know & Least-Privilege Access Policy


📨 Authentication Messages

Q: Does the application display generic authentication messages for failures?

  • Answer: Yes

  • Messages such as “Invalid username or password” do not disclose which part of the login failed.


🔐 Password Storage Protection

Q: Is cryptographic protection in place for passwords in storage?

  • Answer: Yes

  • Passwords are hashed and salted using industry-standard cryptographic algorithms.

📄 Supporting Documentation: Veonics Portal Cybersecurity & Compliance Overview


📡 Password Transmission Security

Q: Are passwords encrypted during transmission?

  • Answer: Yes

  • Enforced via TLS 1.2+ across all login endpoints.


🗄️ SQL Authentication & Database Access

Q: Does the application use SQL authentication to authenticate with the database?

  • Answer: Yes

  • Connection strings are encrypted and stored securely.

  • Database access is restricted to approved service accounts only.

📄 Supporting Documentation: The Veonics Portal History & System Architecture


🔑 Strong Password Enforcement

Q: Does your application enforce strong passwords?

  • Answer: Yes

  • Minimum length, complexity, and expiration rules are enforced.

  • Default Group Policy settings require 8+ characters, mixed case, numbers, and symbols.

📄 Supporting Documentation:


🚫 Failed Login Attempts

Q: Does your application restrict the number of failed login attempts?

  • Answer: Yes

  • Accounts are locked after repeated failed login attempts to mitigate brute-force attacks.


⏳ Periodic Password Changes

Q: Do the application enforce a periodic change of passwords?

  • Answer: Yes

  • It is not automatic, so expiry dates are recommended to force a change if the date passes for any accounts requiring compliance.
  • Internal accounts follow quarterly password rotation policies.

  • Customer accounts are managed by Customer Admins, who may set their own rotation frequency.


❌ Compromised Accounts

Q: If an account is compromised, can you easily disable the account?

  • Answer: Yes

  • Accounts can be disabled within minutes by eXpress badging® Admins or Customer Admins.

📄 Supporting Documentation: Cybersecurity Incident & Breach Response Process


🔄 Tokenization for Form Submissions

Q: Does the application use random tokens or user-specific tokens for form submissions?

  • Answer: Yes

  • Veonics® Portal employs anti-CSRF tokens and user-specific session tokens for all form submissions that change system data.

📄 Supporting Documentation: Application Development & Maintenance Policy


📊 NIST CSF 2.0 Alignment

Function Practice
Protect (PR) TLS, password hashing, RBAC, MFA, account lockout
Detect (DE) SOC monitoring of login anomalies
Respond (RS) Compromised accounts disabled immediately
Recover (RC) Credential resets, user re-provisioning

 

Last Update: 09/01/2025