CMMC Practice Number: IA.L2-3.5.11
CMMC Level: 2 CMMC Domain: Identification and Authentication (IA)
Practice Summary:
Obscure feedback of authentication information.
Contents:
CMMC Practice Implementation |
Assessment Objectives
Determine if:
[a] authentication information is obscured during the authentication process.
Practice Clarification (DOD, CMU)
Authentication information includes passwords. When users enter a password, the system displays a symbol, such as an asterisk, to obscure feedback preventing others from seeing the actual characters [a]. Feedback is obscured based on a defined policy (e.g., smaller devices may briefly show characters before obscuring).
Example
As a system administrator, you configure your systems to display an asterisk when users enter their passwords into a computer system [a]. For mobile devices, the password characters are briefly displayed to the user before being obscured. This prevents people from figuring out passwords by looking over someone’s shoulder.
Potential Assessment Considerations
• Is the feedback immediately obscured when the authentication is presented on a larger display (e.g., desktop or notebook computers with relatively large monitors) [a]?
Where To Look
- Identification and authentication policy;
- procedures addressing authenticator feedback;
- system security plan;
- system design documentation;
- system configuration settings and associated documentation;
- system audit logs and records;
- other relevant documents or records.
Who To Talk To
- Personnel with information security responsibilities;
- system or network administrators;
- system developers.
Perform Test On
- Mechanisms supporting or implementing the obscuring of feedback of authentication information during authentication.
Additional Information
This requirement seeks to prevent an observer from viewing authentication information, such as a password, while it is being entered. One technique to obscure feedback is to have dots appear in the password window while it is being typed instead of the actual characters being entered.
The most basic feedback control is never informing the user in an error message what part of the of the authentication transaction failed. In the case of shibboleth, for example, the error message is generic regardless of whether the userid was mistyped, the password was wrong, or (in the case of MFA) there was a problem with the MFA credential provided — the failure simply says that the credentials were invalid. Likewise, unsuccessful authentications at the Kerberos KDCs don’t distinguish between the “principal not found” and the “invalid key” case.
LDAP-based authentication interfaces only return a “failure to bind” message from both the main LDAPs and the AD.
CMMC Practice Background and References (DOD, CMU) |
Practice Discussion:
The feedback from systems does not provide any information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems or system components, for example, desktop or notebook computers with relatively large monitors, the threat (often referred to as shoulder surfing) may be significant. For other types of systems or components, for example, mobile devices with small displays, this threat may be less significant, and is balanced against the increased likelihood of typographic input errors due to the small keyboards. Therefore, the means for obscuring the authenticator feedback is selected accordingly. Obscuring authenticator feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a very limited time before fully obscuring it.
CMMC References:
· NIST SP 800-171 Rev 1 3.5.11
· NIST CSF v1.1 PR.AC-1
· NIST SP 800-53 Rev 4 IA-6