Access control best practices

NIST published SP 800‑63‑4 (Revision 4) on August 1, 2025 and the update formalizes session management requirements including session secrets and session‑binding to reduce reuse of long‑lived credentials. (nist.gov) NIST SP 800‑53 PE‑3 requires verification of individual physical access authorizations at entry/exit points and calls for maintaining physical access audit logs, making visitor sign‑in and controlled ingress explicit controls. (csf.tools) Microsoft Entra Privileged Identity Management (PIM) provides time‑bound, approval‑based role activation with mandatory MFA for activation and downloadable audit history, but it requires appropriate Entra licensing for full features. (learn.microsoft.com) Major cloud token models favor short‑lived access tokens plus refresh tokens; AWS STS session tokens can be set from 900 seconds (15 minutes) up to 129,600 seconds (36 hours) with common defaults of 3,600 seconds (1 hour) or 43,200 seconds (12 hours) depending on the API, illustrating concrete session windows administrators can tune. (docs.aws.amazon.com) Device‑based conditional access ties identity to device posture: Microsoft Intune’s Conditional Access can require device compliance before granting access to Microsoft 365, and Google Workspace uses Endpoint Verification plus Context‑Aware Access to block or approve devices based on OS, location or security status. (learn.microsoft.com) CISA’s K‑12 School Security Guide (3rd ed., 2022) promotes layered physical approaches and visitor management for schools, and HHS guidance permits clinic sign‑in sheets only with minimum‑necessary safeguards—both policies reinforce pairing visible signage/authorized‑lists with identity checks and logging. (cisa.gov)