2.4.8 Authentication & Authorisation
This section’s intended audience is for those personnel who are responsible for the security of the IoT systems interfaces and authentication processes. Guidance is available from the IoTSF Best Practice Guides (IOTSF.SD-BPG) regarding Credential Management (part F).
| Req No | Requirement | Primary Keyword | Secondary Keyword | Compliance Class And Applicability |
|---|---|---|---|---|
| 2.4.8.1 | The product contains a unique and tamper-resistant device identifier. E.g.: the chip serial number or other unique silicon identifier, for example to bind code and data to a specific device hardware. This is to mitigate threats from cloning and also to ensure authentication may be done assuredly using the device identifier e.g. using a device certificate containing the device identifier. | System | Hardware | Mandatory for all classes |
| 2.4.8.2 | Where the product has a secure source of time there is a method of validating its integrity. | System | Software | Mandatory for Class 1 and above |
| 2.4.8.3 | Where a user interface password is used for login authentication, the factory issued or reset password is randomly unique for every device in the product family. If a password-less authentication is used the same principles of uniqueness apply. | System | Software | Mandatory for all classes |
| 2.4.8.4 | The product does not accept the use of null or blank passwords. | System | Software | Mandatory for all classes |
| 2.4.8.5 | The product will not allow new passwords containing the user account name with which the user account is associated. | System | Software | Mandatory for all classes |
| 2.4.8.6 | Password entry follows industry standard practice on password length, characters from the groupings and special characters. | System | Software | Mandatory for all classes |
| 2.4.8.7 | The product has defence against brute force repeated login attempts, such as exponentially increasing retry attempt delays. | System | Software | Mandatory for Class 1 and above |
| 2.4.8.8 | The product securely stores any passwords using an industry standard cryptographic algorithm, compliant with an industry standard. | System | Software | Mandatory for Class 1 and above |
| 2.4.8.9 | The product supports access control measures to the root/highest privilege account to restrict access to sensitive information or system processes. | System | Software | Mandatory for Class 1 and above |
| 2.4.8.10 | The access control privileges are defined, justified and documented. | Business | Process | Mandatory for Class 1 and above |
| 2.4.8.11 | The product only allows controlled user account access; access using anonymous or guest user accounts is not supported without justification. | System | Software | Mandatory for Class 1 and above |
| 2.4.8.12 | The product allows the factory issued or OEM login accounts to be disabled or erased or renamed when installed or commissioned. | System | Software | Advisory for all classes |
| 2.4.8.13 | The product supports having any or all of the factory default user login passwords altered when installed or commissioned. | Business | Process | Mandatory for all classes |
| 2.4.8.14 | If the product has a password recovery or reset mechanism, an assessment has been made to confirm that this mechanism cannot readily be abused by an unauthorised party. | Business | Process | Mandatory for Class 1 and above |
| 2.4.8.15 | Where passwords are entered on a user interface, the actual pass phrase is obscured by default. | System | Software | Mandatory for Class 1 and above |
| 2.4.8.16 | The product allows an authorised and complete factory reset of all of the device’s authorisation information. | System | Software | Advisory for all classes |
| 2.4.8.17 | Where the product has the ability to remotely recover from attack, it should rely on a known good state, to enable safe recovery and updating of the device, but should limit access to sensitive assets until the devices is in a known secure condition. | System | Software | Mandatory for Class 1 and above |
| 2.4.8.18 | Devices are provided with a RoT-backed unique authenticable logical identity. | System | Software | Mandatory for Class 1 and above |