This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts.
NIST 800-53 (r4) Supplemental Guidance:
Authentication processes resist replay attacks if it is impractical to achieve successful authentications by recording/replaying previous authentication messages. Replay-resistant techniques include, for example, protocols that use nonces or challenges such as Transport Layer Security (TLS) and time synchronous or challenge-response one-time authenticators.
References: HSPD-12; OMB Memoranda 04-04, 06-16, 11-11; FIPS Publication 201; NIST Special Publications 800-63, 800-73, 800-76, 800-78; FICAM Roadmap and Implementation Guidance; Web: http://idmanagement.gov.
NIST 800-53 (r5) Discussion:
[Withdrawn: Incorporated into IA-2(8).]
38North Guidance:
Meets Minimum Requirement:
Implements replay-resistant authentication mechanisms for network access to non-privileged accounts.
Best Practice:
Require safeguards to be in place to protect the authenticator such as TLS 1.2 or higher for network (remote) access to non-privileged accounts.
Implement MFA hardware or software tokens that are FIPS 140-2 or FIPS 140-3 and that utilize a one-time password (OTP) mechanism (pin number that changes every 60) seconds. Examples would include RSA, Gemalto token, or Google Authenticator.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
MFA hardware or software tokens that are FIPS 140-2 or FIPS 140-3 validated so that strong encryption is being utilized with TLS 1.2 or higher encryption for non-privileged accounts.
Hardware or software tokens should have unique serial number identifications so they are replay-resistant.
Require a memorized secret as well as the unique MFA token.
CSP Implementation Tips: TBD