Identification and Authentication (from NIST)
This identification and authentication control list and description are meant to tie identification and authentication control list to an activity or behavior. For NIST's descriptions, see NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems.
- Identification and authentication policy and procedures - Defines types of authentication to be used based on security needs. The policy should cover roles, responsibilities, and compliance. (low)
- User identification and authentication - Users are identified with unique user IDs and authenticated by the system using one or more methods such as passwords, secure ID tokens, biometrics, pass phrases, or other method. Multifactor authentication may be used. (low)
- Device identification and authentication - Devices that attempt to establish a connection to a system are identified and authenticated before allowing them to connect. A MAC address, IP address, a special account, or other special credentials may be used to identify and authenticate the device. (moderate)
- Identifier management - Several factors are used to control user identification including:
- An appropriate official issues user identifiers.
- The user identifier is given to the correct individual.
- Each user can be uniquely identified - Each user ID is unique and they are not shared.
- The identity of each user can be verified.
- The user identity is removed or disabled when the individual leaves, no longer needs it, or is inactive for a period of time.
- Authenticator management - Items used to authenticate users such as passwords, secure ID tokens, biometrics, key cards, security certificates, are managed by the organization in a secure manner. Authenticators are not to be shared and this should be in a policy. Lost authenticators should be reported immediately.
- Procedures are established for initial distribution.
- Procedures are established for replacement of lost authenticators and de-activation of lost authenticators.
- Procedures are established for replacement of damaged authenticators.
- Procedures are established for revoking authenticators.
- Being able to modify the type of authenticators that are used as required.
- Authenticators that are secrets such as passwords should be protected by the system from unauthorized disclosure or modification when they are stored or transmitted. Secret authenticators should not be displayed. Policies should define maximum age, minimum length, and other criteria of secret authenticators.
- Certificates should be validated by a trusted source.
- Authenticator feedback - The feedback to the user to indicate whether authentication was successful does not reveal information about the user account or authentication mechanism. For example to tell the user that the ID worked but the password is incorrect, gives useful information to an attacker. The authenticator is not displayed. (low)
- Cryptographic module authentication - Cryptographic modules are tested to be valid for encrypting data. The modules are rated in several areas. (low)