APP001: Authentication for End-users
Is the authentication mechanism for end users (e.g., PIN, static password, dynamic password, digital certificate) implemented in accordance with the **Authentication Domain Standards (ADS)**?
Guidance: If users are entitled only to read Internal non-PII data or Public data with no transaction capabilities, authentication is not required. Otherwise, authentication must be implemented in accordance with the Authentication Domain Standards (ADS). The ADS describes specific solutions for static passwords, KBA, OTPs, etc. Supplemental Guidance: If Internal data are made available without authentication, the application must ensure it is accessible only by internal employees and not publicly available (e.g., on the Internet). PINs should not be used for authentication unless the PINs are: o Required by local laws or regulations or by rules adopted by self-regulatory bodies (e.g., central banks or payment associations), or Necessary to meet physical device constraints (e.g., smart card) The strength of the authentication mechanism must be commensurate with the risk of the application and should comply with authentication guidelines when available. For example, some high-risk applications may require strong authentication such as multi-factor authentication or digital certificates. The architecture of allowing pluggable authentication modules would be very useful and flexible to support multiple authentication mechanisms when different classes of users require different authentication mechanisms.