Reference: CMMC 2.0
Level Introduced: 2
Title: Replay-Resistant Authentication
Employ replay-resistant authentication mechanisms for network access to privileged and non- privileged accounts.
When insecure protocols are used for access to computing resources there is the potential for an adversary to perform a man-in-the-middle attack and capture the information that permitted a staff member to login. As part of a defense-in-depth strategy it is important to use mechanisms that are resilient to the adversary reusing the captured information and
gaining access to the computing resources.
To protect your IT organization, you understand that the methods for authentication must not be easily copied and re-sent to your systems by an adversary. You conduct research and determine certain protocols have replay resistance inherently designed into them. Your first step is to ensure Transport Layer Security (TLS) is enabled for access to relevant IT services. Coupled with the use of a secure protocol you evaluate the use of multifactor authentication using public key infrastructure (PKI) or one-time password tokens (OTP) to protect staff logins. Based on your requirements you select OTP tokens as the way to provide a time- bound challenge for user authentication to your IT services.