IA-05-727 Authenticator Management

Authenticator Management

IA-05-727
Authenticator Management
Identification and Authentication
LOW, MOD, HIGH
P1
Yes
August 17, 2016

Passphrases are the primary authenticator mechanism in use within the Agency. When new user identifiers are provisioned in an Agency information resource, the authorized official shall generate a random one-time passphrase that satisfies the Agency's minimum passphrase complexity requirements, and provide the new user's identifier and temporary passphrase to the sponsoring employee. Mechanisms within the information resource that force a passphrase change on first login shall be used whenever available. New user instructions shall include guidance to configure the two-factor authentication service for password self-service reset as soon as the user successfully logs in. Passphrases with indications of being lost or compromised (e.g., appearing in a publicly-available user database dump), and passphrases that are discovered through routine auditing, shall be expired immediately and the user forced to change their passphrase on next login.

Users shall be directed to self-service passphrase reset portals whenever possible. In the event a user cannot perform a self-service reset, the user must contact the information resource administrator from their office phone (verified by the administrator using internal 5-digit caller ID) and provide identity verification such as UIN or other personal information. The administrator may issue a random one-time passphrase that satisfies the Agency's minimum passphrase complexity requirements over the phone, send the one-time passphrase to a trusted third party, or require the user to appear in person to receive the one-time passphrase.

Passphrase complexity and lifecycle standards for standard users shall adhere to the Center for Internet Security (CIS) benchmark, or the following, whichever is more stringent: minimum 8 characters, including a mix of upper-case, lower-case, and numbers or special characters; minimum 1 day between password changes; maximum 180 days between password changes; may not reuse previous 24 passwords. Privileged users and service accounts adhere to the same standards, with the exception of a minimum 14 characters. These standards shall be published at https://u.tti.tamu.edu/password-policy.

Public key infrastructure authenticators (digital certificate private keys) are valid for no more than three (3) years from date of issue.

Users are prohibited from sharing their authenticator with any other person.

An information resource owner with responsibility for a group/role account shall ensure the authenticator is changed immediately upon revocation of a user's access to the group/role account.

Unauthorized users gain access through user accounts based on a password that was disclosed during communication to the authorized users.
The organization manages information system authenticators by: a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator; b. Establishing initial authenticator content for authenticators defined by the organization; c. Ensuring that authenticators have sufficient strength of mechanism for their intended use; d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators; e. Changing default content of authenticators prior to information system installation; f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators; g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type]; h. Protecting authenticator content from unauthorized disclosure and modification; i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and j. Changing authenticators for group/role accounts when membership to those accounts changes.
Password, token, biometric, etc. is utilized for access to information systems.
The state organization manages information system authenticators by: • defining initial authenticator content; • establishing administrative procedures for initial authenticator distribution, for lost/compromised, or damaged authenticators, and for revoking authenticators; and • changing default authenticators upon information system installation.
Obtain identification and authentication policy; password policy; list of authenticators that require in-person registration; authenticator registration documentation; security plan; procedures addressing authenticator management; information system design documentation; information system configuration settings and associated documentation; list of information system accounts; other relevant documents or records and ascertain if : (I)the organization manages information system authenticators by defining initial authenticator content. (ii)the organization manages information system authenticators by establishing administrative procedures for initial authenticator distribution, for lost/compromised, or damaged authenticators, and for revoking authenticators. (iii)the organization manages information system authenticators by changing default authenticators upon information system installation. (iv)the organization manages information system authenticators by changing/refreshing authenticators periodically. (v) the organization defines the minimum password complexity requirements to be enforced for case sensitivity, the number of characters, and the mix of upper-case letters, lower-case letters, numbers, and special characters including minimum requirements for each type; (vi) the organization defines the minimum number of characters that must be changed when new passwords are created; (vii) the organization defines the restrictions to be enforced for password minimum lifetime and password maximum lifetime parameters; (iv) the organization defines the number of generations for which password reuse is prohibited; and (ix) the information system, for password-based authentication: enforces the minimum password complexity standards that meet the organization-defined requirements; -enforces the organization-defined minimum number of characters that must be changed when new passwords are created; -encrypts passwords in storage and in transmission; -enforces the organization-defined restrictions for password minimum lifetime and ---password maximum lifetime parameters; -prohibits password reuse for the organization-defined number of generations.