NIST 800-53 REV 5 • IDENTIFICATION AND AUTHENTICATION

IA-2(8)Access to Accounts — Replay Resistant

Implement replay-resistant authentication mechanisms for access to {{ insert: param, ia-02.08_odp }}.

CMMC Practice Mapping

NIST 800-171 Mapping

Related Controls

No related controls listed

Supplemental Guidance

Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or cryptographic authenticators.

Practitioner Notes

This enhancement requires replay-resistant authentication mechanisms — an attacker who captures your authentication traffic should not be able to replay it to gain access.

Example 1: Use FIDO2 security keys (like YubiKeys) which provide cryptographic challenge-response authentication that is inherently replay-resistant.

Example 2: Implement Kerberos authentication (used by Active Directory) which includes timestamps in tickets, making captured authentication data useless after a short time window.

More Identification and Authentication Controls

IA-1 Policy and Procedures IA-2 Identification and Authentication (Organizational Users) IA-2(1) Multi-factor Authentication to Privileged Accounts IA-2(2) Multi-factor Authentication to Non-privileged Accounts