NIST 800-171 • LEVEL 2 • IDENTIFICATION AND AUTHENTICATION

3.5.4Replay-Resistant Authentication

Authentication processes resist replay attacks if it is impractical to successfully authenticate by recording or replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges, such as time synchronous or challenge-response one-time authenticators.

CMMC Practice Mapping

NIST 800-53 Controls

IA-2(8)IA-2(9)

Assessment Objectives

  • replay-resistant authentication mechanisms for access to privileged accounts are implemented.
  • replay-resistant authentication mechanisms for access to non-privileged accounts are implemented.

Practitioner Notes

Replay-resistant authentication means an attacker cannot capture your login credentials in transit and reuse them later to break in. Old protocols like NTLM are vulnerable to this. Modern protocols like Kerberos and time-based one-time passwords (TOTP) generate unique tokens for each session, so a captured token is useless.

Example 1: Enforce Kerberos authentication over NTLM in your domain. In Group Policy, navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. Set "Network security: LAN Manager authentication level" to Send NTLMv2 response only. Refuse LM & NTLM. This forces clients and servers to use Kerberos or at minimum NTLMv2, which includes challenge-response to resist replay.

Example 2: When configuring MFA, choose time-based one-time passwords (TOTP) via authenticator apps like Microsoft Authenticator or hardware tokens like YubiKeys. In the Entra Admin Center under Protection > Authentication Methods > FIDO2 Security Key, enable FIDO2 key registration. FIDO2 uses challenge-response cryptography, making replay attacks effectively impossible.

Related NIST 800-171 Requirements

3.5.1 User Identification and Authentication 3.5.2 Device Identification and Authentication 3.5.3 Multi-Factor Authentication 3.5.5 Identifier Management