myctrl.tools
Compare

IA-6Authentication Feedback

LOW
MODERATE
HIGH

>Control Description

Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.

>Cross-Framework Mappings

SCF

IAC-11
Compare

>Programmatic Queries

Beta

Related Services

Cognito
IAM
WorkSpaces

CLI Commands

Check Cognito password policy
aws cognito-idp describe-user-pool --user-pool-id POOL_ID --query 'UserPool.Policies.PasswordPolicy'
Get IAM password policy
aws iam get-account-password-policy
Check Cognito advanced security
aws cognito-idp describe-user-pool --user-pool-id POOL_ID --query 'UserPool.UserPoolAddOns'
List failed login attempts
aws cognito-idp admin-list-user-auth-events --user-pool-id POOL_ID --username USERNAME
Open AWS ConsoleDocumentation

>Supplemental Guidance

Authentication feedback from systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of systems, such as desktops or notebooks with relatively large monitors, the threat (referred to as shoulder surfing) may be significant. For other types of systems, such as mobile devices with small displays, the threat may be less significant and is balanced against the increased likelihood of typographic input errors due to small keyboards.

Thus, the means for obscuring authentication feedback is selected accordingly. Obscuring authentication feedback includes displaying asterisks when users type passwords into input devices or displaying feedback for a very limited time before obscuring it.

>Related Controls

AC-3

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of IA-6 (Authentication Feedback)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring IA-6?
  • How frequently is the IA-6 policy reviewed and updated, and what triggers policy changes?
  • What governance structure ensures IA-6 requirements are consistently applied across all systems?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce IA-6 requirements.
  • What automated tools, systems, or technologies are deployed to implement IA-6?
  • How is IA-6 integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce IA-6 requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of IA-6?
  • What audit logs, records, reports, or monitoring data validate IA-6 compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of IA-6 effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate IA-6 compliance?

Ask AI

Configure your API key to use AI features.