The identification and authentication policy defines the organization's rules for information system identifiers that are provisioned and managed, as well as the mechanisms allowed for positive authentication of provisioned information system identifiers.

What the identification and authentication policy should address:

• Identifying information system users, processes acting on behalf of users, or devices
• Authenticating (or verifying) the identities of those users, processes, or devices as a prerequisite to allowing access to organizational information systems
• Using multifactor authentication for local and network access to information systems
• Employing replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts
• Preventing reuse of identifiers for a defined period
• Disabling identifiers after a defined period of inactivity
• Enforcing a minimum password complexity and change of characters when new passwords are created
• Prohibiting password reuse for a specified number of generations
• Allowing temporary password use for system logons with an immediate change to a permanent password
• Storing and transmitting only encrypted representation of passwords
• Obscuring feedback of authentication information