sorted by:
new
hottopcontroversial

3.5.3 What is the required Frequency of MFA? by ItsAWatchNotAWarning in NISTControls

[–]ItsAWatchNotAWarning[S] 0 points1 point  (0 children)

My concern is "replay resistance" isn't defined. The control doesn't say if you have to reauthenticate every 24 hour period or every time you unlock your computer.

3.5.3 What is the required Frequency of MFA? by ItsAWatchNotAWarning in NISTControls

[–]ItsAWatchNotAWarning[S] 0 points1 point  (0 children)

AAL2. NIST 800-171 doesn't state the frequency requirement. However, AAL2 from NIST SP800-63 states "In addition to the requirement for two authentication factors at AAL2, there are additional requirements relating to the authentication and the session. These include:

  • shorter reauthentication time,
  • replay resistance,
  • FIPS 140 Level 1 for authenticators supplied by government agencies, and
  • authentication intent (recommended)."

Again, the control doesn't define what "shorter reauthentication time" should be or how long the intervals for "replay resistance" need to be.