NIST 800-171 • LEVEL 2 • IDENTIFICATION AND AUTHENTICATION
3.5.11 — Authentication Feedback
Authentication feedback does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For example, for desktop or notebook systems with relatively large monitors, the threat may be significant (commonly referred to as shoulder surfing). For mobile devices with small displays, this threat may be less significant and is balanced against the increased likelihood of input errors due to small keyboards. Therefore, the means of obscuring authenticator feedback is selected accordingly. Obscuring feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a limited time before fully obscuring it.
CMMC Practice Mapping
NIST 800-53 Controls
Assessment Objectives
- feedback of authentication information during the authentication process is obscured.
Practitioner Notes
When someone types their password, the system should not display it on screen in plain text. This prevents "shoulder surfing" — someone nearby reading the password off your monitor. The standard approach is to show dots or asterisks instead of the actual characters.
This applies to workstations, mobile devices, web apps, and any login prompt.
Example 1: On Windows workstations, ensure the "reveal password" button on the login screen is controlled. Via Group Policy, navigate to Computer Configuration > Administrative Templates > Windows Components > Credential User Interface and set "Do not display the password reveal button" to Enabled. This removes the eye icon that lets users temporarily unmask their password on the Windows login screen.
Example 2: For custom web applications, ensure all password input fields use <input type="password"> rather than <input type="text">. If your application includes a "show password" toggle, make sure it defaults to masked and auto-re-masks after a short timeout (e.g., 3 seconds). Conduct a quick review of all login and account management pages to verify this is consistently implemented.