Secure Req 8
<< Back to Baseline Functional Requirements Index
SECURE-8. MULTIFACTOR AUTHENTICATION
Entities that authenticate a USER MUST offer authentication mechanisms which augment or are alternatives to a password.
Entities must offer users an authentication mechanism other than single-factor authentication based on a password as a shared secret. Examples include (but are not limited to): “something-you-have” (e.g., computing device, USB token, mobile phone, key fob, etc.) or “something-you-are” (e.g., biometric), or a combination of these. The additional or alternative mechanism(s) must ensure the binding and integration necessary for use as an authentication mechanism. See SECURE-9 (AUTHENTICATION RISK ASSESSMENT) and its Supplemental Guidance for more information about choosing risk appropriate authentication mechanisms.
NIST SP 800-63-2