Level 2
Description:
The feedback from systems does not provide any information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems or system components, for example, desktop or notebook computers with relatively large monitors, the threat (often referred to as shoulder surfing) may be significant. For other types of systems or components, for example, mobile devices with small displays, this threat may be less significant, and is balanced against the increased likelihood of typographic input errors due to the small keyboards. Therefore, the means for obscuring the authenticator feedback is selected accordingly. Obscuring authenticator feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a very limited time before fully obscuring it.
Priority: High
Domain: IDENTIFICATION AND AUTHENTICATION (IA)
Services Associated with AWS:
- AWS Identity and Access Management (IAM), AWS Single Sign-On (SSO)
Services Associated with Azure:
- Azure Active Directory (Azure AD)
- Azure Multi-Factor Authentication
- Azure Security Center
- Azure Sentinel
- Azure Information Protection
- Azure Key Vault
- Azure Virtual Machines
- Azure SQL Database
- Azure Storage
- Azure App Service
Objective Evidence:
- Administrative: documented policies, standards & procedures
- Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
- Technical: screenshot of configuration settings
Possible Technology Considerations:
- Identity & Access Management (IAM)
- Secure Baseline Configurations (SBC)
What needs to be answered:
Do the authentication mechanisms obscure feedback of authentication information during the authentication process? Do the authentication mechanisms not return any system specific information such as “wrong password” or “wrong username”?
Checks for AWS
- Obscuring Authenticator Feedback
Description: This check ensures that systems obscure the feedback of authentication information to prevent unauthorized individuals from compromising the authentication mechanisms. Obscuring authenticator feedback involves techniques such as displaying asterisks or masking the input as users type passwords into input devices. The feedback may also be displayed for a limited time before fully obscuring it, reducing the risk of shoulder surfing or unauthorized observation.
Checks for Azure
- Obscure Authenticator Feedback
Description: This check ensures that authentication mechanisms in Azure obscure the feedback of authentication information during the authentication process. Obscuring authenticator feedback helps prevent unauthorized individuals from compromising the authentication mechanisms by limiting the visibility of authentication information, such as passwords or usernames. Techniques may include displaying asterisks or masking the input as users type passwords into input devices, as well as limiting the duration of feedback display. - Prevent System-Specific Authentication Feedback
Description: This check verifies that authentication mechanisms in Azure do not return any system-specific information, such as "wrong password" or "wrong username," during the authentication process. Providing system-specific feedback can give potential attackers valuable information about the validity of authentication credentials, facilitating unauthorized access attempts. It is important to provide generic error messages to avoid leaking sensitive information.
More Details: All feedback information for password entry is obscured by default.