NIST 800-171 - Authenticator Feedback (3.5.11)

Overview:
Obscure feedback of authentication information.

Action Items:
3.5.11[a]
Determine if: authentication information is obscured during the authentication process.

POTENTIAL ASSESSMENT METHODS AND OBJECTS

1
Examine: Identification and authentication policy; procedures addressing authenticator feedback; system security plan; system design documentation; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].

2
Interview: Personnel with information security responsibilities; system or network administrators; system developers].

3
Test: Mechanisms supporting or implementing the obscuring of feedback of authentication information during authentication].

Related Documents (document name and content will vary by organization):
1) Identification and authentication policy
2) procedures addressing authenticator feedback
3) system security plan
4) system design documentation
5) system configuration settings and associated documentation
6) system audit logs and records
7) other relevant documents or records

Additional Guidance:
The feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems or system components, for example, desktop or notebook computers with relatively large monitors, the threat (often referred to as shoulder surfing) may be significant. For other types of systems or components, for example, mobile devices with small displays, this threat may be less significant, and is balanced against the increased likelihood of typographic input errors due to the small keyboards. Therefore, the means for obscuring the authenticator feedback is selected accordingly. Obscuring authenticator feedback includes, for example, displaying asterisks when users type passwords into input devices, or displaying feedback for a very limited time before fully obscuring it.