This Control directly supports the implied Control(s):
Establish, implement, and maintain system hardening procedures., CC ID: 12001
This Control has the following implementation support Control(s):
Configure the system to log all access attempts to all systems., CC ID: 00554
Configure devices and users to re-authenticate, as necessary., CC ID: 10609
Restrict logons by specified source addresses., CC ID: 16394
Configure the "Lockout Enabled" setting to organizational standards., CC ID: 09859
Prohibit the use of cached authenticators and credentials after a defined period of time., CC ID: 10610
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
In addition, it is necessary to specify the procedure for suspending the use of any tokens once issued, cancelling suspended use, re-issuing tokens, deleting any tokens, and to define the procedure for dealing with lost, stolen, or damaged tokens. (P140.1.(6) 1)b., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
Mutual authentication system may be considered. Mutual Authentication, also called two-way authentication, is a security feature in which a client process must prove his identity to a server, and the server must prove its identity to the client, before any application traffic is sent over the client… (Critical components of information security 5) (xii), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
A bank should take appropriate measures to identify and authenticate users or IT assets. The required strength of authentication needs to be commensurate with risk. Common techniques for increasing the strength of identification and authentication include the use of strong password techniques (i.e. … (Critical components of information security 5) (iv), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
To safeguard the confidentiality of authentication credentials, such as biometric templates and passwords, the FI should store these credentials in a form that is resistant to reverse engineering. A process and procedure should also be implemented to revoke and replace authentication credentials and… (§ 14.2.11, Technology Risk Management Guidelines, January 2021)
The organization should use public key-based authentication instead of passphrase-based authentication. (Control: 0485, Australian Government Information Security Manual: Controls)
Importantly, authentication should occur over secure channels. Email, HTTP or telephone are vulnerable to interception and social engineering attacks. (10. ¶ 3, Cloud Security Guidance, 1.0)
Weak authentication to these interfaces may enable unauthorised access to your systems, resulting in the theft or modification of your data, changes to your service, or a denial of service. Importantly, authentication should occur over secure channels, as described in Principle 1: data in transit pr… (10. ¶ 4, Cloud Security Guidance, 2)
The entity uses a combination of controls to restrict access to its information assets including data classification. The entity enforces logical separations of data structures and the segregation of incompatible duties applies device security hardening and security configuration policies, including… (S7.1 Restricts access to information assets, Privacy Management Framework, Updated March 1, 2020)
Strong authentication methods should be used to ensure only users with valid credentials can gain access to the system. Strong authentication occurs when a combination of the following 3 items are used: something the user knows (a password); something the user has (a smart card), and something the u… (Pg 50, Mac OS X Security Configuration for version 10.4 or later, second edition, Second Edition)
Unique usernames and secure authentication should be used to sign on to any application storing cardholder data. Changing this setting in the application after installation may result in noncompliance with PCI DSS. (§ 3.1, § 3.2, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1)
The organization should use customer-provided data to aid in verifying their identity. When customers register, they should be asked to answer a question that only they will know the answer to, such as school name or place of birth. When the customer returns to log on, the system should ask this que… (Pg 32, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business)
Information Systems should be designed to enable authorized users to access multiple systems and resources via reduced (or single) sign-on. (CF.07.01.05c, The Standard of Good Practice for Information Security)
Sign-on mechanisms should be configured so that they are re-enabled automatically after interruption (e.g., following a disconnection from the application). (CF.06.07.02e, The Standard of Good Practice for Information Security)
Information Systems should be designed to enable authorized users to access multiple systems and resources via reduced (or single) sign-on. (CF.07.01.05c, The Standard of Good Practice for Information Security, 2013)
Sign-on mechanisms should be configured so that they are re-enabled automatically after interruption (e.g., following a disconnection from the application). (CF.06.07.02e, The Standard of Good Practice for Information Security, 2013)
Ensure the proper management, tracking, and use of connected hardware authentication tokens (if tokens are used). (5.2 Control Objective, SWIFT Customer Security Controls Framework, Customer Security Programme, v2019)
¶ 13.3.3 Authentication Enhancements. The use of user id/password pairs is a simple way to authenticate users, but they can be compromised or guessed. There are other more secure ways to authenticate users, particularly for remote users. Authentication enhancements are needed when there exists a hi… (¶ 13.3.3, ¶ 13.3.5, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
For Cisco IOS, the organization must configure the system to use Authentication, Authorization, and Accounting (AAA) authentication methods. (Table F-10, CMS Business Partners Systems Security Manual, Rev. 10)
Tokens or "smart cards" are acceptable for authentication. In-band tokens involve overall network control of the token database for all parties. (ACCEPTABLE AUTHENTICATION APPROACHES 4., HIPAA HCFA Internet Security Policy, November 1998)
Authentication procedures must include multifactor authentication methods. (CSR 2.9.8, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
Employees are required to use two factor authentication before they can use their workstations. (Pg 47, C-TPAT Supply Chain Security Best Practices Catalog)
Remote access users must be authenticated by one of the following methods: RADIUS, TACACS+, CiscoSecure ACS, or SecurID. If the organization wants to use a different method, it must first be approved and documented by the Information Assurance Manager. RADIUS servers may not use NetWare Bindery to a… (§ 6.2.1, DISA Secure Remote Computing Security Technical Implementation Guide, Version 1 Release 2)
Each individual's identity shall be authenticated at either the local agency, CSA, SIB or Channeler level. The authentication strategy shall be part of the agency's audit for policy compliance. The FBI CJIS Division shall identify and authenticate all individuals who establish direct web-based inter… (§ 5.6.2 ¶ 2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
Each individual's identity shall be authenticated at either the local agency, CSA, SIB or Channeler level. The authentication strategy shall be part of the agency's audit for policy compliance. The FBI CJIS Division shall identify and authenticate all individuals who establish direct web-based inter… (§ 5.6.2 ¶ 2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
The organization should use strong user authentication methods to log on to critical applications. (Pg 21, Exam Tier II Obj 4.2, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
(AC-3.2(C), Federal Information System Controls Audit Manual (FISCAM), February 2009)
Does the Credit Union use multifactor authentication, layered security, or other controls to mitigate the risks associated with Internet-based products and services to their members? (IT - Authentication Q 2, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
Do members need to login to the bill pay software separately from the internet banking software? (IT - Member Online Services Q 31, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
Communication between the claimant and verifier SHALL be via an authenticated protected channel to provide confidentiality of the authenticator output and resistance to MitM attacks. All cryptographic device authenticators used at AAL3 SHALL be verifier impersonation resistant as described in Sectio… (4.3.2 ¶ 1, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
Authenticators that involve the manual entry of an authenticator output, such as out-of-band and OTP authenticators, SHALL NOT be considered verifier impersonation-resistant because the manual entry does not bind the authenticator output to the specific session being authenticated. In a MitM attack,… (5.2.5 ¶ 5, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
Impose a delay of at least 30 seconds before the next attempt, increasing exponentially with each successive attempt (e.g., 1 minute before the following failed attempt, 2 minutes before the second following attempt), or (5.2.3 ¶ 8 Bullet 1, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
Requiring the claimant to wait following a failed attempt for a period of time that increases as the account approaches its maximum allowance for consecutive failed attempts (e.g., 30 seconds up to an hour). (5.2.2 ¶ 2 Bullet 2, Digital Identity Guidelines: Authentication and Lifecycle Management, NIST SP 800-63B)
The organization should decide the procedures to be taken to provide access to authorized users when they fail to successfully authenticate themselves. (Table 8-2 Item 19, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST SP 800-97, February 2007)
User is required to to authenticate as well as restricting access to authenticated data. Logon attempts should be limited after a failed number of attempts. ISF calls for a sign in process before users should be allowed to access the system and sign-on attempts should be limited. (§ 3.11.2, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
Organizations should implement single sign-on to existing directory systems where applicable. Single sign-on simplifies the orchestrator authentication experience, makes it easier for users to use strong authentication credentials, and centralizes auditing of access, making anomaly detection more ef… (4.3.2 ¶ 2, NIST SP 800-190, Application Container Security Guide)
The organization requires that individuals accessing the information system employ {organizationally documented supplemental authentication techniques or mechanisms} under specific {organizationally documented circumstances or situations}. (IA-10 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The information system provides a single sign-on capability for [Assignment: organization-defined information system accounts and services]. (IA-2(10) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
The organization requires that individuals accessing the information system employ [Assignment: organization-defined supplemental authentication techniques or mechanisms] under specific [Assignment: organization-defined circumstances or situations]. (IA-10 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Provide a single sign-on capability for [Assignment: organization-defined system accounts and services]. (IA-2(10) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Require individuals accessing the system to employ [Assignment: organization-defined supplemental authentication techniques or mechanisms] under specific [Assignment: organization-defined circumstances or situations]. (IA-10 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
