3.5.11 Obscure feedback of authentication information

By wnoble2005@gmail.com (William Noble) 📅 2024-03-01

NIST 800-171 control 3.5.11 protects users from having their credentials stolen by hiding whether a username or password is correct. This prevents shoulder surfing attacks. It also helps users who make typos by not revealing the mistake. System admins are responsible for ensuring this. To implement, design logins to give generic messages like "Login attempt unsuccessful" instead of saying if the username or password was wrong.

The feedback from systems does not provide any information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems or system components, for example, desktop or notebook computers with relatively large monitors, the threat (often referred to as shoulder surfing) may be significant. For other types of systems or components, for example, mobile devices with small displays, this threat may be less significant, and is balanced against the increased likelihood of typographic input errors due to the small keyboards. Therefore, the means for obscuring the authenticator feedback is selected accordingly. Obscuring authenticator feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a very limited time before fully obscuring it.

Benefits:

Thwarts Social Engineering: By not revealing if a username or password is incorrect, attackers can't trick users into giving away valid information. Imagine someone standing behind you, trying to see what you type. Obscured feedback makes it impossible for them to learn your credentials through "shoulder surfing".

Reduces User Frustration: We all mistype sometimes! Obscure feedback prevents users from knowing exactly which part (username or password) was wrong. This avoids discouragement during login attempts, especially when users might be entering complex passwords.

Accountability:

Senior Management: Sets the security tone and allocates resources for implementing and enforcing obscure feedback mechanisms. They ensure IT security policies reflect this control and hold individuals accountable.

IT Security Team: They implement and maintain technical controls like masking characters during password entry. They also educate users on identifying phishing attempts that might reveal credentials.

System Owners: They ensure their specific systems adhere to the organization's security policies. This might involve configuring login screens to mask passwords or implementing multi-factor authentication.

Individual Users: They are responsible for practicing good security hygiene. This includes choosing strong passwords and avoiding entering them in public places where someone could see the screen. They should also report any suspicious login attempts.

Implementation:

Generic Messages: Instead of saying "Wrong username" or "Incorrect password," the system simply displays a generic message like "Login failed." This keeps the attacker in the dark.

Deliberate Delays: The system can introduce a short pause after each login attempt, regardless of success. This makes it difficult to tell if a specific try was incorrect based on how quickly the response comes back.

Limited Attempts: This is a common approach. The system allows a set number of login tries. After exceeding the limit, the account gets locked or requires additional verification, stopping brute-force attacks where attackers try endless combinations.

Go to docs.google.com

☰

Back

About "3.5.11 Obscure feedback o...ation" 🡃

Category:Cybersecurity Maturity Model
Family:Identification and Authentication (AC 3.5)
Type:Derived Security Requirements

#CybersecurityMaturityModel #DerivedSecurityRequirements

⬅ Back to 3.5 IDENTIFICATION AND AUTHENTICATION

3.5 IDENTIFICATION AND AUTHENTICATION

3.5.11 Obscure feedback of authentication information

Benefits:

Accountability:

Implementation:

More on q4q.com

Q4Q Technical Solutions