NIST 800-53 REV 5 • ACCESS CONTROL

AC-7(4)Use of Alternate Authentication Factor

Allow the use of {{ insert: param, ac-07.04_odp.01 }} that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded; and Enforce a limit of {{ insert: param, ac-07.04_odp.02 }} consecutive invalid logon attempts through use of the alternative factors by a user during a {{ insert: param, ac-07.04_odp.03 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

The use of alternate authentication factors supports the objective of availability and allows a user who has inadvertently been locked out to use additional authentication factors to bypass the lockout.

Practitioner Notes

When a biometric fails too many times, the system should require an alternate authentication factor (like a PIN or password) rather than just trying biometrics again. This prevents both spoofing attacks and frustration for legitimate users having a bad sensor day.

Example 1: Configure Windows Hello to require the PIN after 5 failed fingerprint scans. This is the default Windows behavior. Verify it is not overridden by checking Computer Configuration → Administrative Templates → System → Logon → "Turn off Windows Hello" is set to Not Configured.

Example 2: For physical access control systems using biometric readers, configure the access panel to require a badge tap plus PIN after 3 failed biometric reads. The panel should log the failed attempts and alert the physical security team.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management