APP002: Authentication for Administrators
Is the authentication mechanism for administrator (e.g., PIN, static password, dynamic password, digital certificate) implemented in accordance with CISS and Authentication Domain Standards (ADS)?
Guidance: Since administrators are typically not only limited to read Internal non-PII, or Public data, with no transaction capabilities, authentication will almost always be required. Authentication must be implemented in accordance with CISS Appendix A.0 using solutions defined in the ADS. The ADS describes specific solutions for static passwords, KBA, OTPs, etc. that meet authentication requirements in CISS Appendix A.0.
Supplemental Guidance: PINs should not be used for authentication unless the PINs are:
- Required by local laws or regulations or by rules adopted by self-regulatory bodies (e.g., central banks or payment associations), or
- Necessary to meet physical device constraints (e.g., smart card)
The strength of the authentication mechanism must be commensurate with the risk of the application and should comply with authentication guidelines when available. For example, some high-risk applications may require strong authentication such as multi-factor authentication or digital certificates. The architecture of allowing pluggable authentication modules would be very useful and flexible to support multiple authentication mechanisms when different classes of users require different authentication mechanisms.