Manage system authenticators by: Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator; Establishing initial authenticator content for any authenticators issued by the organization; Ensuring that authenticators have sufficient strength of mechanism for their intended use; Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators; Changing default authenticators prior to first use; Changing or refreshing authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur; Protecting authenticator content from unauthorized disclosure and modification; Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and Changing authenticators for group or role accounts when membership to those accounts changes.

For password-based authentication: Maintain a list of commonly-used, expected, or compromised passwords and update the list {{ insert: param, ia-05.01_odp.01 }} and when organizational passwords are suspected to have been compromised directly or indirectly; Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a); Transmit passwords only over cryptographically-protected channels; Store passwords using an approved salted key derivation function, preferably using a keyed hash; Require immediate selection of a new password upon account recovery; Allow user selection of long passwords and passphrases, including spaces and all printable characters; Employ automated tools to assist the user in selecting strong password authenticators; and Enforce the following composition and complexity rules: {{ insert: param, ia-05.01_odp.02 }}.

Bind identities and authenticators dynamically using the following rules: {{ insert: param, ia-05.10_odp }}.

For biometric-based authentication, employ mechanisms that satisfy the following biometric quality requirements {{ insert: param, ia-05.12_odp }}.

Prohibit the use of cached authenticators after {{ insert: param, ia-05.13_odp }}.

For PKI-based authentication, employ an organization-wide methodology for managing the content of PKI trust stores installed across all platforms, including networks, operating systems, browsers, and applications.

Use only General Services Administration-approved products and services for identity, credential, and access management.

Require that the issuance of {{ insert: param, ia-05.16_odp.01 }} be conducted {{ insert: param, ia-05.16_odp.02 }} before {{ insert: param, ia-05.16_odp.03 }} with authorization by {{ insert: param, ia-05.16_odp.04 }}.

Employ presentation attack detection mechanisms for biometric-based authentication.

Employ {{ insert: param, ia-05.18_odp.01 }} to generate and manage passwords; and Protect the passwords using {{ insert: param, ia-05.18_odp.02 }}.

For public key-based authentication: Enforce authorized access to the corresponding private key; and Map the authenticated identity to the account of the individual or group; and When public key infrastructure (PKI) is used: Validate certificates by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information; and Implement a local cache of revocation data to support path discovery and validation.

Require developers and installers of system components to provide unique authenticators or change default authenticators prior to delivery and installation.

Protect authenticators commensurate with the security category of the information to which use of the authenticator permits access.

Ensure that unencrypted static authenticators are not embedded in applications or other forms of static storage.

Implement {{ insert: param, ia-05.08_odp }} to manage the risk of compromise due to individuals having accounts on multiple systems.

Use the following external organizations to federate credentials: {{ insert: param, ia-05.09_odp }}.