IA-5: Authenticator Management
Control Family:
Threats Addressed:
Previous Version:
- NIST Special Publication 800-53 Revision 4:
- IA-5: Authenticator Management
Control Statement
Manage system authenticators by:
- Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;
- Establishing initial authenticator content for any authenticators issued by the organization;
- Ensuring that authenticators have sufficient strength of mechanism for their intended use;
- Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;
- Changing default authenticators prior to first use;
- Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events] occur;
- Protecting authenticator content from unauthorized disclosure and modification;
- Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and
- Changing authenticators for group or role accounts when membership to those accounts changes.
Supplemental Guidance
Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements for authenticator content contain specific criteria or characteristics (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials (i.e., passwords) to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6, and SC-28 for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges.
Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators, not sharing authenticators with others, and immediately reporting lost, stolen, or compromised authenticators. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed.
Control Enhancements
IA-5(1): Password-based Authentication
Baseline(s):
- Low
- Moderate
- High
For password-based authentication: Maintain a list of commonly-used, expected, or compromised passwords and update the list [Assignment: organization-defined frequency] and when organizational passwords are suspected to have been compromised directly or indirectly; Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in…
IA-5(2): Public Key-based Authentication
Baseline(s):
- Moderate
- High
For public key-based authentication: Enforce authorized access to the corresponding private key; and Map the authenticated identity to the account of the individual or group; and When public key infrastructure (PKI) is used: Validate certificates by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information; and Implement a…
IA-5(5): Change Authenticators Prior to Delivery
Baseline(s):
Require developers and installers of system components to provide unique authenticators or change default authenticators prior to delivery and installation.
IA-5(6): Protection of Authenticators
Baseline(s):
- Moderate
- High
Protect authenticators commensurate with the security category of the information to which use of the authenticator permits access.
IA-5(7): No Embedded Unencrypted Static Authenticators
Baseline(s):
Ensure that unencrypted static authenticators are not embedded in applications or other forms of static storage.
IA-5(8): Multiple System Accounts
Baseline(s):
Implement [Assignment: organization-defined security controls] to manage the risk of compromise due to individuals having accounts on multiple systems.
IA-5(9): Federated Credential Management
Baseline(s):
Use the following external organizations to federate credentials: [Assignment: organization-defined external organizations].
IA-5(10): Dynamic Credential Binding
Baseline(s):
Bind identities and authenticators dynamically using the following rules: [Assignment: organization-defined binding rules].
IA-5(12): Biometric Authentication Performance
Baseline(s):
For biometric-based authentication, employ mechanisms that satisfy the following biometric quality requirements [Assignment: organization-defined biometric quality requirements].
IA-5(13): Expiration of Cached Authenticators
Baseline(s):
Prohibit the use of cached authenticators after [Assignment: organization-defined time period].
IA-5(14): Managing Content of Pki Trust Stores
Baseline(s):
For PKI-based authentication, employ an organization-wide methodology for managing the content of PKI trust stores installed across all platforms, including networks, operating systems, browsers, and applications.
IA-5(15): Gsa-approved Products and Services
Baseline(s):
Use only General Services Administration-approved products and services for identity, credential, and access management.
IA-5(16): In-person or Trusted External Party Authenticator Issuance
Baseline(s):
Require that the issuance of [Assignment: organization-defined types of and/or specific authenticators] be conducted [Assignment: in person, by a trusted external party] before [Assignment: organization-defined registration authority] with authorization by [Assignment: organization-defined personnel or roles].
IA-5(17): Presentation Attack Detection for Biometric Authenticators
Baseline(s):
Employ presentation attack detection mechanisms for biometric-based authentication.
IA-5(18): Password Managers
Baseline(s):
Employ [Assignment: organization-defined password managers] to generate and manage passwords; and Protect the passwords using [Assignment: organization-defined controls].