// Level 3 · Controls

Identification and Authentication

Identify users and authenticate identities.

Identify system users, processes acting on behalf of users, and devices.

Authenticate the identities of users, processes, or devices as a prerequisite to allowing access.

Use multifactor authentication for access to privileged accounts and for network access to non-privileged accounts.

Employ replay-resistant authentication mechanisms.

Prevent reuse of identifiers for a defined period.

Disable identifiers after a defined period of inactivity.

Enforce a minimum password complexity and change of characters when new passwords are created.

Prohibit password reuse for a specified number of generations.

Allow temporary password use for system logons with an immediate change to a permanent password.

Store and transmit only cryptographically protected passwords.

Obscure feedback of authentication information.