Deny access with inactive credentials
Summary​
The system must not allow users to authenticate with expired, revoked or blocked credentials.
Description​
. Inactive credentials pose a security risk to organizations. Each one of these accounts offers a malicious actor an opportunity to gain access to resources.
Supported In​
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Essential | 🔴 |
| Advanced | 🟢 |
References​
- HIPAA-164_310_a_2_iii. Access control and validation procedures (addressable)
- NERC CIP-004-6_R5. Access revocation
- OWASP TOP 10-A7. Identification and authentication failures
- SOC2®-CC6_2. Logical and physical access controls
- MITRE ATT&CK®-M1043. Credential access protection
- CMMC-AC_L2-3_1_10. Session lock
- CMMC-IA_L2-3_5_6. Identifier handling
- FedRAMP-AC-11. Session lock
- FedRAMP-PE-3. Physical access control
- ISO/IEC 27002-7_2. Physical entry controls
- LGPD-46. Security and Secrecy of Data
- ISA/IEC 62443-UC-2_1. Authorization enforcement
- WASSEC-2_1. Authentication schemes
- WASC-W_02. Insufficient authorization
- NIST SSDF-PW_1_1. Design software to meet security requirements and mitigate security risks
- OWASP Top 10 Privacy Risks-P8. Missing or insufficient session expiration
- BSAFSS-IA_1-2. Software development environment authenticates users and operators
- BSAFSS-AA_1-3. Authorization and access controls
- NIST 800-171-5_6. Disable identifiers after a defined period of inactivity
- CWE TOP 25-287. Improper authentication
- SIG Lite-SL_45. Termination or change of status process?
- ISO/IEC 27001-7_2. Physical entry controls
- SANS 25-13. Improper authentication
free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.