03.05.11: Authentication Feedback

Discussion:

Authentication feedback does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For example, for desktop or notebook systems with relatively large monitors, the threat may be significant (commonly referred to as shoulder surfing). For mobile devices with small displays, this threat may be less significant and is balanced against the increased likelihood of input errors due to small keyboards. Therefore, the means of obscuring authenticator feedback is selected accordingly. Obscuring feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a limited time before fully obscuring it.

Assessment Methods and Objectives

Examine [SELECT FROM: identification and authentication policy and procedures; procedures for authenticator feedback; system design documentation; system configuration settings; system audit records; system security plan; other relevant documents or records]

Interview [SELECT FROM: personnel with information security responsibilities; system developers; system administrators]

Test [SELECT FROM: mechanisms for supporting or implementing the obscuring of feedback of authentication information during authentication]