https://artifacts.trustmarkinitiative.org/lib/tds/authentication---use-of-memorized-secret/1.0/Authentication - Use of Memorized Secret1.0Memorized Secrets (passwords and pins) must be sufficiently hard to guess and adhere to the rules found within <a href="https://pages.nist.gov/800-63-3/sp800-63b.html#reqauthtype">NIST 800-63-3B: 5.1.1</a>2019-04-05T00:00:00.000Zhttps://trustmarkinitiative.org/Trustmark InitiativePRIMARYTrustmark Supporthelp@trustmarkinitiative.org555-555-5555https://trustmarkinitiative.org/This artifact is published by the Georgia Tech Research Institute (GTRI) as part of the Trustmark Initiative. This artifact and the information contained herein is provided on an "AS IS" basis, and GTRI disclaims all warranties, express or implied, including but not limited to any warranty that the use of the information herein will not infringe any rights or any implied warranties or merchantability or fitness for a particular purpose. In addition, GTRI disclaims legal liability for any loss incurred as a result of the use or reliance on the document or the information contained herein.AccessActive AttackAddress of RecordApplicantApproved CryptographyAssertionAssertion ReferenceAsymmetric KeysAttackAttackerAttributeAttribute BundleAttribute ReferenceAttribute ValueAuthenticateauthentication.]]>Authenticated Protected ChannelAuthenticationAuthentication Factorsomething you know, something you have, and something you are. Every authenticator has one or more authentication factors.]]>Authentication IntentAuthentication ProtocolAuthentication Protocol RunAuthentication Secretshort-term authentication secrets, which are only useful to an attacker for a limited period of time, and long-term authentication secrets, which allow an attacker to impersonate the subscriber until they are manually reset. The authenticator secret is the canonical example of a long-term authentication secret, while the authenticator output, if it is different from the authenticator secret, is usually a short-term authentication secret.]]>Authenticatortoken.]]>Authenticator Assurance LevelAALAuthenticator OutputAuthenticator SecretAuthenticator TypeAuthenticityAuthoritative SourceAuthorizeBack-Channel CommunicationBearer AssertionBindingBiometricsChallenge-Response ProtocolClaimantClaimed AddressClaimed IdentityCompletely Automated Public Turing test to tell Computers and Humans ApartCAPTCHACredentialCredential Service ProviderCSPCross-site Request ForgeryCSRFCross-site ScriptingXSSCryptographic AuthenticatorCryptographic Keyasymmetric keys, symmetric key.]]>Cryptographic ModuleData IntegrityDerived CredentialDigital AuthenticationElectronic Authentication.]]>Digital SignatureDiversionaryEavesdropping AttackElectronic AuthenticationE-Authenticationdigital authentication.]]>EnrollmentEntropyn bits of entropy has the same degree of uncertainty as a uniformly distributed n-bit random value.]]>Federal Information Processing StandardFIPSFederationFederation Assurance LevelFALFederation ProxyFront-Channel CommunicationHash FunctionIdentityIdentity Assurance LevelIALIdentity EvidenceIdentity ProofingIdentity ProviderIdPIssuing SourceKerberosKnowledge-Based VerificationKBVMan-in-the-Middle AttackMitMMitMAMemorized Secretsomething they know as part of an authentication process.]]>Message Authentication CodeMACMobile CodeMulti-Factorauthentication factor for successful authentication. MFA can be performed using a single authenticator that provides more than one factor or by a combination of authenticators that provide different factors. The three authentication factors are something you know, something you have, and something you are.]]>Multi-Factor AuthenticationMFAauthentication factor for successful authentication. Multi-factor authentication can be performed using a multi-factor authenticator or by a combination of authenticators that provide different factors. The three authentication factors are something you know, something you have, and something you are.]]>Multi-Factor AuthenticatorNetworkNonceOffline AttackOnline AttackOnline Guessing AttackPairwise Pseudonymous IdentifierPassive AttackPassphrasePasswordmemorized secret.]]>Personal Datapersonally identifiable information.]]>Personal Identification NumberPINPersonal Informationpersonally identifiable information.]]>Personally Identifiable InformationPIIPharmingPhishingPossession and Control of an AuthenticatorPractice StatementPresentation AttackPresentation Attack DetectionPADliveness detection, involve measurement and analysis of anatomical characteristics or involuntary or voluntary reactions, in order to determine if a biometric sample is being captured from a living subject present at the point of capture.]]>Private CredentialsPrivate KeyProtected Sessionauthenticated if, during the session, they prove possession of one or more authenticators in addition to the session keys, and if the other party can verify the identity associated with the authenticator(s). If both participants are authenticated, the protected session is said to be mutually authenticated.]]>PseudonymPseudonymityPseudonymous IdentifierPublic CredentialsPublic KeyPublic Key CertificatePublic Key InfrastructurePKIReauthenticationRegistrationenrollment.]]>Relying PartyRPRemoteIn the context of remote authentication or remote transaction) An information exchange between network-connected devices where the information cannot be reliably protected end-to-end by a single organization's security controls.]]>Replay AttackReplay ResistanceRestrictedRisk AssessmentRisk ManagementSaltSecure Sockets LayerSSLTransport Layer Security (TLS).]]>SessionSession Hijack AttackShared SecretSide-Channel AttackSingle-FactorSocial EngineeringSpecial PublicationSPSubjectSubscriberSymmetric KeyTokenauthenticator.]]>Token Authenticatorauthenticator output.]]>Token Secretauthenticator secret.]]>TransactionTransport Layer SecurityTLSTrust AnchorUsabilityVerifierVerifier ImpersonationVirtual In-Person ProofingWeakly Bound CredentialsZero-Knowledge Password ProtocolZeroizeNIST SP 800-63BNIST Special Publication 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Management. June 2017. https://doi.org/10.6028/NIST.SP.800-63b.1C1Memorized secrets SHALL be at least 8 characters in length if chosen by the subscriber. Memorized secrets chosen randomly by the CSP or verifier SHALL be at least 6 characters in length and MAY be entirely numeric. If the CSP or verifier disallows a chosen memorized secret based on its appearance on a blacklist of compromised values, the subscriber SHALL be required to choose a different memorized secret.2C2Memorized secret verifiers MUST adhere to mandatory requirements specified within <a href="https://pages.nist.gov/800-63-3/sp800-63b.html#memsecretver">NIST 800-63-3B: 5.1.1.2</a>.1Memorized SecretsDoes all use of memorized secrets meet the criteria specified in NIST 800-63-3 (minimum lengths, complexity, character sets, not blacklisted, etc.)?A12Memorized Secret VerifiersDo all memorized secret verifiers meet the criteria specified in <a href="https://pages.nist.gov/800-63-3/sp800-63b.html#memsecretver">NIST 800-63-3B: 5.1.1.2</a>, including meeting entropy minimums, avoiding common passwords, rate limiting, exclusively use encrypted channels, and store secrets suitably such as properly salted hashes.A1