APP022: Secure Authentication Protocol
Does the application use an EATDS approved authentication protocol?
Guidance: A secure mutual authentication protocol with a proper key management scheme to encrypt credentials (e.g., passwords) should be used. Examples include Kerberos or SSL/TLS or SSHv2. One-time or dynamic password can be sent in the clear over the network without encryption. Proprietary authentication protocols should be reviewed by SMEs to ensure they are sound. When no other secure authentication protocol can be implemented, IPSec can be considered as a last resort to protect credentials in transit. However, its applicability should be assessed to ensure it is implementable on the target platforms.
When static passwords are used for authentication, an authentication protocol that does not encrypt the static passwords is not acceptable.