NIST 800-53 REV 5 • IDENTIFICATION AND AUTHENTICATION

IA-6Authentication Feedback

Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.

CMMC Practice Mapping

NIST 800-171 Mapping

Related Controls

Supplemental Guidance

Authentication feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems, such as desktops or notebooks with relatively large monitors, the threat (referred to as shoulder surfing) may be significant. For other types of systems, such as mobile devices with small displays, the threat may be less significant and is balanced against the increased likelihood of typographic input errors due to small keyboards. Thus, the means for obscuring authentication feedback is selected accordingly. Obscuring authentication feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a very limited time before obscuring it.

Practitioner Notes

Authentication feedback means that when users enter their password, the system should not reveal the password on screen. This prevents shoulder surfing and screen capture attacks.

Example 1: Ensure all login screens display dots or asterisks instead of the actual password characters as users type, including custom web applications and admin portals.

Example 2: Configure your Linux SSH login and sudo prompts to not echo any characters (not even asterisks) when passwords are entered at the command line.

More Identification and Authentication Controls

IA-1 Policy and Procedures IA-2 Identification and Authentication (Organizational Users) IA-2(1) Multi-factor Authentication to Privileged Accounts IA-2(2) Multi-factor Authentication to Non-privileged Accounts