last sync: 2024-Oct-11 17:51:27 UTC

Obscure feedback information during authentication process | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Obscure feedback information during authentication process
Id 1ff03f2a-974b-3272-34f2-f6cd51420b30
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_C1344 - Obscure feedback information during authentication process
Additional metadata Name/Id: CMA_C1344 / CMA_C1344
Category: Operational
Title: Obscure feedback information during authentication process
Ownership: Customer
Description: The customer is responsible for obscuring authentication feedback information during the authentication process for any customer-deployed resources.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 11 compliance controls are associated with this Policy definition 'Obscure feedback information during authentication process' (1ff03f2a-974b-3272-34f2-f6cd51420b30)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 IA-6 FedRAMP_High_R4_IA-6 FedRAMP High IA-6 Identification And Authentication Authenticator Feedback Shared n/a The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. Supplemental Guidance: The feedback from information systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of information systems or system components, for example, desktops/notebooks with relatively large monitors, the threat (often referred to as shoulder surfing) may be significant. For other types of systems or components, for example, mobile devices with 2-4 inch screens, this threat may be less significant, and may need to be balanced against the increased likelihood of typographic input errors due to the small keyboards. Therefore, the means for obscuring the authenticator feedback is selected accordingly. Obscuring the feedback of authentication information includes, for example, displaying asterisks when users type passwords into input devices, or displaying feedback for a very limited time before fully obscuring it. Related control: PE-18. Control Enhancements: None. References: None. link 1
FedRAMP_Moderate_R4 IA-6 FedRAMP_Moderate_R4_IA-6 FedRAMP Moderate IA-6 Identification And Authentication Authenticator Feedback Shared n/a The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. Supplemental Guidance: The feedback from information systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of information systems or system components, for example, desktops/notebooks with relatively large monitors, the threat (often referred to as shoulder surfing) may be significant. For other types of systems or components, for example, mobile devices with 2-4 inch screens, this threat may be less significant, and may need to be balanced against the increased likelihood of typographic input errors due to the small keyboards. Therefore, the means for obscuring the authenticator feedback is selected accordingly. Obscuring the feedback of authentication information includes, for example, displaying asterisks when users type passwords into input devices, or displaying feedback for a very limited time before fully obscuring it. Related control: PE-18. Control Enhancements: None. References: None. link 1
hipaa 1002.01d1System.1-01.d hipaa-1002.01d1System.1-01.d 1002.01d1System.1-01.d 10 Password Management 1002.01d1System.1-01.d 01.02 Authorized Access to Information Systems Shared n/a Passwords are not displayed when entered. 2
hipaa 1006.01d2System.1-01.d hipaa-1006.01d2System.1-01.d 1006.01d2System.1-01.d 10 Password Management 1006.01d2System.1-01.d 01.02 Authorized Access to Information Systems Shared n/a Passwords are not included in automated log-on processes. 5
ISO27001-2013 A.9.4.2 ISO27001-2013_A.9.4.2 ISO 27001:2013 A.9.4.2 Access Control Secure log-on procedures Shared n/a Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure. link 17
NIST_SP_800-171_R2_3 .5.11 NIST_SP_800-171_R2_3.5.11 NIST SP 800-171 R2 3.5.11 Identification and Authentication Obscure feedback of authentication information Shared Microsoft and the customer share responsibilities for implementing this requirement. The feedback from systems does not provide any information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems or system components, for example, desktop or notebook computers with relatively large monitors, the threat (often referred to as shoulder surfing) may be significant. For other types of systems or components, for example, mobile devices with small displays, this threat may be less significant, and is balanced against the increased likelihood of typographic input errors due to the small keyboards. Therefore, the means for obscuring the authenticator feedback is selected accordingly. Obscuring authenticator feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a very limited time before fully obscuring it. link 1
NIST_SP_800-53_R4 IA-6 NIST_SP_800-53_R4_IA-6 NIST SP 800-53 Rev. 4 IA-6 Identification And Authentication Authenticator Feedback Shared n/a The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. Supplemental Guidance: The feedback from information systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of information systems or system components, for example, desktops/notebooks with relatively large monitors, the threat (often referred to as shoulder surfing) may be significant. For other types of systems or components, for example, mobile devices with 2-4 inch screens, this threat may be less significant, and may need to be balanced against the increased likelihood of typographic input errors due to the small keyboards. Therefore, the means for obscuring the authenticator feedback is selected accordingly. Obscuring the feedback of authentication information includes, for example, displaying asterisks when users type passwords into input devices, or displaying feedback for a very limited time before fully obscuring it. Related control: PE-18. Control Enhancements: None. References: None. link 1
NIST_SP_800-53_R5 IA-6 NIST_SP_800-53_R5_IA-6 NIST SP 800-53 Rev. 5 IA-6 Identification and Authentication Authentication Feedback Shared n/a Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals. link 1
op.acc.2 Access requirements op.acc.2 Access requirements 404 not found n/a n/a 64
op.acc.5 Authentication mechanism (external users) op.acc.5 Authentication mechanism (external users) 404 not found n/a n/a 72
op.acc.6 Authentication mechanism (organization users) op.acc.6 Authentication mechanism (organization users) 404 not found n/a n/a 78
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add 1ff03f2a-974b-3272-34f2-f6cd51420b30
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC