This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
NIST 800-53 (r4) Supplemental Guidance:
The feedback from information systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of information systems or system components, for example, desktops/notebooks with relatively large monitors, the threat (often referred to as shoulder surfing) may be significant. For other types of systems or components, for example, mobile devices with 2-4 inch screens, this threat may be less significant, and may need to be balanced against the increased likelihood of typographic input errors due to the small keyboards. Therefore, the means for obscuring the authenticator feedback is selected accordingly. Obscuring the feedback of authentication information includes, for example, displaying asterisks when users type passwords into input devices, or displaying feedback for a very limited time before fully obscuring it. Related control: PE-18.
References: None.
NIST 800-53 (r5) Discussion:
Authentication feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems, such as desktops or notebooks with relatively large monitors, the threat (referred to as shoulder surfing) may be significant. For other types of systems, such as mobile devices with small displays, the threat may be less significant and is balanced against the increased likelihood of typographic input errors due to small keyboards. Thus, the means for obscuring authentication feedback is selected accordingly. Obscuring authentication feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a very limited time before obscuring it.
Related Controls: AC-3.
38North Guidance:
Meets Minimum Requirement:
Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
Best Practice:
Implement mechanisms to not permit feedback of authentication to be viewable in clear text aka obscure by using asterisks, dots, etc when typing passwords.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Observe authentication to system components to verify passwords aren’t displayed in clear text while authenticating.
Screenshots of personnel authenticating into the FedRAMP environment as well as system components showing that passwords aren’t displayed as they are being typed.
CSP Implementation Tips: TBD