114 – Deny access with inactive credentials

Summary

The system must not allow users to authenticate with expired, revoked or blocked credentials.

Description

. Inactive credentials pose a security risk to organizations. Each one of these accounts offers a malicious actor an opportunity to gain access to resources.

Supported In

Advanced: True

References

• HIPAA-164_310_a_2_iii. Access control and validation procedures (addressable)
• NERCCIP-004-6_R5. Access revocation
• OWASP10-A7. Identification and authentication failures
• SOC2-CC6_2. Logical and physical access controls
• MITRE-M1043. Credential access protection
• CMMC-AC_L2-3_1_10. Session lock
• CMMC-IA_L2-3_5_6. Identifier handling
• FEDRAMP-AC-11. Session lock
• FEDRAMP-PE-3. Physical access control
• ISO27002-7_2. Physical entry controls
• LGPD-46. Security and Secrecy of Data
• IEC62443-UC-2_1. Authorization enforcement
• WASSEC-2_1. Authentication schemes
• WASC-W_02. Insufficient authorization
• NISTSSDF-PW_1_1. Design software to meet security requirements and mitigate security risks
• OWASPRISKS-P8. Missing or insufficient session expiration
• BSAFSS-IA_1-2. Software development environment authenticates users and operators
• BSAFSS-AA_1-3. Authorization and access controls
• NIST800171-5_6. Disable identifiers after a defined period of inactivity
• CWE25-287. Improper authentication
• SIGLITE-SL_45. Termination or change of status process?
• ISO27001-7_2. Physical entry controls
• SANS25-13. Improper authentication

Last updated

2024/02/05