The system must not allow users to authenticate with expired, revoked or blocked credentials.
HIPAA Security Rules 164.310(a)(2)(iii): Access Control and Validation Procedures: Implement procedures to control and validate a person's access based on their role or function, including control of access to software programs for testing and revision.
NERC CIP-004-6. B. Requirements and measures. R5: Each Responsible Entity shall implement one or more documented access revocation program(s).
OWASP Top 10 A2:2017-Broken Authentication: Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently.
PCI DSS v3.2.1 - Requirement 6.5.10: Address common coding vulnerabilities in software-development processes such as broken authentication and session management.
PCI DSS v3.2.1 - Requirement 8.1.3: Immediately revoke access for any terminated users.