Authorized personnel verify the identity of users before modifying authentication credentials on their behalf.
Verifying the identity of users before making authentication changes prevents attackers from impersonating someone in order to gain access to their credentials.
This control applies to:
For the remediation of this control these are the steps that should be followed:
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the Authentication Credential Maintenance issue
A.9.2.4- Management of secret authentication information of users The allocation of secret authentication information shall be controlled through a formal management process.
A.9.3.1- Use of secret authentication information: Users shall be required to follow the organization’s practices in the use of secret authentication information.
8.2.2- Verify user identity before modifying any authentication credential—for example, performing password resets, provisioning new tokens, or generating new keys.