I am now onto the stage of developing the back end system, where we are able to view/modify all client information, their customer information, and so forth.
I am looking into requiring the use of two-factor auth via Authentication Apps (NOT SMS) (already implemented), and if this is unavailable, requiring the use of a very, very strong password and limiting it to a certain amount of days before it needs changing, plus blocking most common passwords.
I have a number of "common password lists", obtained from a Github repo, found here: https://github.com/danielmiessler/SecLists/tree/master/Passwords.
I am looking at using the 100,000 password list as I believe it offers the best without going too far, but I need your opinions on if you'd use the 1/10k or million list.
Finally, looking ahead, I am looking at only allowing full access to data if the account is logged in via a company vpn, and if not, give them a dumbed-down version which doesn't let them go quite in depth.
When it comes to auto generating a secure password for the user using some kind of JS/Backend script, I don't think these are ever the answer. This is because, they are not going to remember the password, only save it into their browser. The minute they attempt to login somewhere where their password isn't saved, you can guarantee their account will receive a reset password request. This can result in a dropped use for that session, or if it gets too much for them, a lack of use for the entire account for the foreseeable.
For staff at this level, I have also disabled the option of email based password reset and require that they do it internally, to ensure that weeks of security implementations and hours of explaining that my Sec SE thread isn't off topic doesn't go to waste over a password to an email address set 10 years ago.
The information that our own staff can view includes ALL customer information AND their customer information like full contact details, full home address, bank account sort code/account number, the ability to charge their card (we don't store their CC info, just a PP/Stripe Key) even down to spending habits, plus other bits.
What are your ideas on implementing the strongest possible way that a user's account of this level can be secured, not just through passwords but other means, without annoying the user?