Applications using multifactor authentication when accessing privileged accounts via the network must provide one of the factors by a device that is separate from the information system gaining access.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-35598	SRG-APP-000154-AS-NA	SV-46885r1_rule		Medium

Description
Out Of Band 2 Factor Authentication (OOB2FA) is defined as when one of the authentication factors is provided by a device that is separate from the system that is used to gain access. For example, a mobile device such as a smart phone is registered within the application to an application user. Upon a successful authentication, the system sends instructions to the registered mobile device in the form of on-screen prompts instructing the user on how to complete the login process. OOB2FA employs separate communication channels where at least one is independently maintained and trusted to authenticate an end user. The AS does not provide or utilize OOB2FA. This requirement is NA.

Description

Out Of Band 2 Factor Authentication (OOB2FA) is defined as when one of the authentication factors is provided by a device that is separate from the system that is used to gain access. For example, a mobile device such as a smart phone is registered within the application to an application user. Upon a successful authentication, the system sends instructions to the registered mobile device in the form of on-screen prompts instructing the user on how to complete the login process. OOB2FA employs separate communication channels where at least one is independently maintained and trusted to authenticate an end user. The AS does not provide or utilize OOB2FA. This requirement is NA.

STIG	Date
Application Server Security Requirements Guide	2013-01-08

Details

Check Text ( C-43941r1_chk )
This requirement is NA for the AS SRG.

Fix Text (F-40139r1_fix)
The requirement is NA. No fix is required.