Secure Req 8
|This article is under construction and should not be considered complete.
Last modified by Paul Knight
SECURE-8. MULTIFACTOR AUTHENTICATION
Entities that authenticate a USER MUST offer authentication mechanisms which augment or are alternatives to a password.
Entities MUST offer users an authentication mechanism other than single-factor authentication based on a password as a shared secret. Examples include (but are not limited to): “something-you-have” (e.g., computing device, USB token, mobile phone, key fob, etc.) or “something-you-are” (e.g., biometric), or a combination of these. The additional or alternative mechanism(s) MUST ensure the binding and integration necessary for use as an authentication mechanism. See Requirement #9 and its Supplemental Guidance for more information about choosing risk appropriate authentication mechanisms.
NIST SP 800-63
APPLIES TO CORE OPERATIONS