CMMC IA.2.082 - Obscure Authentication Feedback

CMMC IA.2.082 - Obscure Authentication Feedback

Requirement text: IA.2.082: Obscure feedback of authentication information.

DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
The feedback from systems does not provide any information that would allow unauthorized
individuals to compromise authentication mechanisms. For some types of systems or
system components, for example, desktop or notebook computers with relatively large
monitors, the threat (often referred to as shoulder surfing) may be significant. For other
types of systems or components, for example, mobile devices with small displays, this threat
may be less significant, and is balanced against the increased likelihood of typographic input
errors due to the small keyboards. Therefore, the means for obscuring the authenticator
feedback is selected accordingly. Obscuring authenticator feedback includes displaying
asterisks when users type passwords into input devices or displaying feedback for a very
limited time before fully obscuring it.

CMMC CLARIFICATION
A password is a type of authentication information. When users enter this information, the
system displays a symbol, such as an asterisk. This prevents others from seeing the actual
characters. The organization should obscure feedback based on a defined policy. For
example, smaller devices may briefly show characters before obscuring.

Example
You are in charge of IT for your company. You set up your systems to display a symbol, such
as an asterisk, when users enter their passwords into a computer system. For your mobile
devices, the password characters are briefly displayed to the user before being obscured.
This prevents people from figuring out passwords by looking over someone’s shoulder.

References
• NIST SP 800-171 Rev 1 3.5.11
• NIST CSF v1.1 PR.AC-1
• NIST SP 800-53 Rev 4 IA-6

    • Related Articles

    • Identification and Authentication: SP 800-171 Security Family 3.5

       For most systems, identification and authentication is often the first line of defense. Identification is the means of verifying the identity of a user, process, or device, typically as a prerequisite for granting access to resources in a system. ...

    • CMMC IA.3.084 - Employ Replay-Resistant Authentication

      Requirement text: IA.3.084: Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Authentication processes resist replay attacks if it is ...

    • CMMC IA.3.083 - Use Multifactor Authentication

      Requirement text: IA.3.083: Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 Multifactor authentication requires the ...

    • CMMC Level 1 Overview - Basic Cyber Hygiene

      CMMC Level 1 l focuses on Federal Contract Information (FCI), which is defined as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the ...

    • CMMC IA.2.078 - Enforce Password Complexity

      Requirement text: IA.2.078: Enforce a minimum password complexity and change of characters when new passwords are created. DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2 This requirement applies to single-factor authentication of individuals using ...