The system must not allow users to authenticate with expired, revoked or blocked credentials.
. Inactive credentials pose a security risk to organizations. Each one of these accounts offers a malicious actor an opportunity to gain access to resources.
This requirement is verified in following services:
- HIPAA-164_310_a_2_iii. Access control and validation procedures (addressable)
- NERC CIP-004-6_R5. Access revocation
- OWASP TOP 10-A7. Identification and authentication failures
- SOC2®-CC6_2. Logical and physical access controls
- MITRE ATT&CK®-M1043. Credential access protection
- CMMC-AC_L2-3_1_10. Session lock
- CMMC-IA_L2-3_5_6. Identifier handling
- FedRAMP-AC-11. Session lock
- FedRAMP-PE-3. Physical access control
- ISO/IEC 27002-7_2. Physical entry controls
- LGPD-46. Technical and organizational measures
- ISA/IEC 62443-UC-2_1. Authorization enforcement
- WASSEC-2_1. Authentication schemes
- WASC-W_02. Insufficient authorization
- NIST SSDF-PW_1_1. Design software to meet security requirements and mitigate security risks
- OWASP Privacy Risks-P8. Missing or insufficient session expiration
- BSAFSS-IA_1-2. Software development environment authenticates users and operators
- BSAFSS-AA_1-3. Authorization and access controls
- NIST 800-171-5_6. Disable identifiers after a defined period of inactivity
- CWE TOP 25-287. Improper authentication
- SIG Lite-SL_45. Termination or change of status process?