NIST Special Publication 800-171 Revision 2
Date Published: January 28th, 2021
Withdrawn on May 14, 2024. Superseded by SP 800-171 Rev. 3
Author(s): Ron Ross (NIST), Victoria Pillitteri (NIST), Kelley Dempsey (NIST), Mark Riddle (NARA), Gary Guissanie (IDA)
Note: A Class Deviation is in effect as of May 2, 2024 (DEVIATION 2024O0013). The deviation clause requires contractors, who are subject to 252.204-7012, to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2, instead of the version of NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the contracting officer. Click Here
3.5.11 Obscure feedback of authentication information.
Control Family: Identification and Authentication
Control Type: Derived
SPRS Value: 1
SPRS Supplemental Guidance: N/A
CMMC Level(s): IA.L2-3.5.11
Top Ten Failed Requirement: No
Referenced in:
DFARS 252.204-7012
Derived From: NIST SP 800-53r4
IA-6
NIST Supplemental Guidance:
N/A
Discussion:
The feedback from systems does not provide any information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems or system components, for example, desktop or notebook computers with relatively large monitors, the threat (often referred to as shoulder surfing) may be significant. For other types of systems or components, for example, mobile devices with small displays, this threat may be less significant, and is balanced against the increased likelihood of typographic input errors due to the small keyboards. Therefore, the means for obscuring the authenticator feedback is selected accordingly. Obscuring authenticator feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a very limited time before fully obscuring it.
Upon assessment, assessors must determine if-
Determine if authentication information is obscured during the authentication process.
Assessors are instructed to-
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing authenticator feedback; system security plan; system design documentation; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: Personnel with information security responsibilities; system or network administrators; system developers].
Test: [SELECT FROM: Mechanisms supporting or implementing the obscuring of feedback of authentication information during authentication].
FURTHER DISCUSSION
Authentication information includes passwords. When users enter a password, the system displays a symbol, such as an asterisk, to obscure feedback preventing others from seeing the actual characters. Feedback is obscured based on a defined policy (e.g., smaller devices may briefly show characters before obscuring).
Example
As a system administrator, you configure your systems to display an asterisk when users enter their passwords into a computer system [a]. For mobile devices, the password characters are briefly displayed to the user before being obscured. This prevents people from figuring out passwords by looking over someone’s shoulder.
Potential Assessment Considerations
Is the feedback immediately obscured when the authentication is presented on a larger display (e.g., desktop or notebook computers with relatively large monitors) [a]?
Frameworks & Controls
3.5: Identification and Authentication
3.5.1 Identify system users, processes acting on behalf of users, and devices.
3.5.6 Disable identifiers after a defined period of inactivity.
3.5.7 Enforce a minimum password complexity and change of characters when new passwords are created.
3.5.8 Prohibit password reuse for a specified number of generations.
3.5.10 Store and transmit only cryptographically-protected passwords.