Authentication processes resist replay attacks if it is impractical to successfully authenticate by recording or replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time-synchronous or challenge-response one-time authenticators.  [SP 800-63-3] provides guidance on digital identities. 

Priority: High   

Category: Baseline Security Configurations 

Services Associated with AWS:   

  • AWS Identity and Access Management (IAM), AWS Multi-Factor Authentication (MFA), AWS Directory Service, AWS Single Sign-On

Objective Evidence:   

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Technical: screenshot of configuration settings  

Possible Technology Considerations : 

  • Identity & Access Management (IAM)
  • Secure Baseline Configurations (SBC) 

What needs to be answered :  

Are only anti-replay authentication mechanisms used? Are defined replay-resistant authentication mechanisms used for network access to privileged and non-privileged accounts? 

  • Implement Replay-Resistant Authentication Mechanisms for Network Access
    Description: This check ensures that organizations employ replay-resistant authentication mechanisms for network access to both privileged and non-privileged accounts. Replay attacks involve the interception and replay of previous authentication messages to gain unauthorized access. To mitigate this risk, authentication processes should use techniques that make it impractical to successfully authenticate by recording and replaying previous authentication messages. Replay-resistant mechanisms include the use of nonces (random numbers) or challenges, such as time synchronous or challenge-response one-time authenticators. These mechanisms ensure that each authentication attempt is unique and cannot be replicated or reused. By implementing replay-resistant authentication mechanisms, organizations enhance the security of network access and reduce the risk of unauthorized account access.

More Details:   

Multi factor authentication in place uses replay resistant mechanisms.