This section covers guidelines for authentication and log-on procedures to minimize the risk of unauthorized access to systems or applications. Strong authentication alternatives to password include digital certificates, smart cards, tokens, or biometric means. They should be used for the organization’s more critical information systems. Multi-factor authentication should involve several factors to eliminate unauthorized access. Log-ins should lessen the risk of unlawful access by hiding sensitive information until the log-on process has ended, showing a generic warning, and logging unsuccessful and successful attempts, among other things. Finally, inactive sessions should be terminated after a defined period of inactivity, and connection duration times should be restricted for high-risk applications. See 5.17, also.
Conformance1
Tools for conforming to standards, goals and processes
