Users

Minimum length of 15 characters (recommend users to use a strange phrase with grammar errors and some extra, missing or duplicate characters that is easy to remember)

If the identity provider supports it, choose to block common or compromised passwords

Do NOT force uppercase letters, number, special characters (change in the latest NIST recommendations)

Do NOT force password changes based on time (change in the latest NIST recommendations)

Enable for all users

Require MFA at login

Use device biometrics, authenticator app or hardware key

Do NOT use SMS

Lock out user after 5 failed login attempts

Notify the user on login from new device or new location

Restrict access from unknown countries

Allow access only from trusted networks if applicable

Log login attempts

Suspicious activity (new devices, new countries)

User lock outs

Recommended Requirements

Password Strength

Multi-Factor Authentication (MFA)

Login Protection

Access Control

Monitoring and Alerts

Permissions

Google as Identity Provider

Okta as Identity Provider