Skip to main content
MuonPartners
Services
Architecture

Solution design and technology roadmapping

Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security

Security assessments, IAM, and compliance

AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform

Network architecture and cloud platforms

Network DesignCloud StrategyModernisation
Enterprise Architecture

Business-technology alignment

Business AlignmentPortfolio AnalysisGovernance
View all services
ProjectsCase StudiesInsightsToolsAbout
Contact Us

Services

Architecture
Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security
AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform
Network DesignCloud StrategyModernisation
Enterprise Architecture
Business AlignmentPortfolio AnalysisGovernance
ProjectsCase StudiesInsightsToolsAboutContact
Get in Touch
MuonPartners

Strategic technology consulting for Australian organisations navigating complexity.

Services

  • Architecture
  • Cyber Security
  • Network and Platform
  • Enterprise Architecture

Company

  • About
  • Products
  • Frameworks
  • Cross-Framework Mapping
  • Projects
  • Case Studies
  • Insights
  • Contact

Contact

  • [email protected]
  • Australia
  • LinkedIn

© 2026 Muon Partners. All rights reserved.

ABN 50 669 022 315 · A Muon Group company.

Privacy PolicyTerms of Service
  1. Frameworks
  2. >SP 800-53
  3. >Identification And Authentication
  4. >SP800-53-IA-5
SP800-53-IA-5Active

Authenticator Management

Statement

Manage system authenticators by: Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator; Establishing initial authenticator content for any authenticators issued by the organization; Ensuring that authenticators have sufficient strength of mechanism for their intended use; Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators; Changing default authenticators prior to first use; Changing or refreshing authenticators time period by authenticator type or when events occur; Protecting authenticator content from unauthorized disclosure and modification; Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and Changing authenticators for group or role accounts when membership to those accounts changes.

Location

Control Family
Identification and Authentication

Control Details

Identifier
SP800-53-IA-5
Family
IA

Organisation-Defined Parameters

ia-05_odp.01
time period by authenticator type
ia-05_odp.02
events

Supplemental Guidance

Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements for authenticator content contain specific criteria or characteristics (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials (i.e., passwords) to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6 , and SC-28 for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges.

Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators, not sharing authenticators with others, and immediately reporting lost, stolen, or compromised authenticators. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed.

Assessment Objective

system authenticators are managed through the verification of the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution; system authenticators are managed through the establishment of initial authenticator content for any authenticators issued by the organization; system authenticators are managed to ensure that authenticators have sufficient strength of mechanism for their intended use; system authenticators are managed through the establishment and implementation of administrative procedures for initial authenticator distribution; lost, compromised, or damaged authenticators; and the revocation of authenticators; system authenticators are managed through the change of default authenticators prior to first use; system authenticators are managed through the change or refreshment of authenticators time period by authenticator type or when events occur; system authenticators are managed through the protection of authenticator content from unauthorized disclosure and modification; system authenticators are managed through the requirement for individuals to take specific controls to protect authenticators; system authenticators are managed through the requirement for devices to implement specific controls to protect authenticators; system authenticators are managed through the change of authenticators for group or role accounts when membership to those accounts changes.

ATTACK
ATTACK-T1021.001relatedvia ctid-attack-to-sp800-53
ATTACK-T1078.002relatedvia ctid-attack-to-sp800-53
ATTACK-T1078.004relatedvia ctid-attack-to-sp800-53
ATTACK-T1098.001relatedvia ctid-attack-to-sp800-53
ATTACK-T1098.002relatedvia ctid-attack-to-sp800-53
View in graphReport an issue
← Back to Identification and Authentication
Identification and Authentication74 controls
SP800-53-IA-1Policy and ProceduresSP800-53-IA-2Identification and Authentication (Organizational Users)SP800-53-IA-2(1)Multi-factor Authentication to Privileged AccountsSP800-53-IA-2(2)Multi-factor Authentication to Non-privileged AccountsSP800-53-IA-2(3)Local Access to Privileged AccountsSP800-53-IA-2(4)Local Access to Non-privileged AccountsSP800-53-IA-2(5)Individual Authentication with Group AuthenticationSP800-53-IA-2(6)Access to Accounts —separate DeviceSP800-53-IA-2(7)Network Access to Non-privileged Accounts — Separate DeviceSP800-53-IA-2(8)Access to Accounts — Replay ResistantSP800-53-IA-2(9)Network Access to Non-privileged Accounts — Replay ResistantSP800-53-IA-2(10)Single Sign-onSP800-53-IA-2(11)Remote Access — Separate DeviceSP800-53-IA-2(12)Acceptance of PIV CredentialsSP800-53-IA-2(13)Out-of-band AuthenticationSP800-53-IA-3Device Identification and AuthenticationSP800-53-IA-3(1)Cryptographic Bidirectional AuthenticationSP800-53-IA-3(2)Cryptographic Bidirectional Network AuthenticationSP800-53-IA-3(3)Dynamic Address AllocationSP800-53-IA-3(4)Device AttestationSP800-53-IA-4Identifier ManagementSP800-53-IA-4(1)Prohibit Account Identifiers as Public IdentifiersSP800-53-IA-4(2)Supervisor AuthorizationSP800-53-IA-4(3)Multiple Forms of CertificationSP800-53-IA-4(4)Identify User StatusSP800-53-IA-4(5)Dynamic ManagementSP800-53-IA-4(6)Cross-organization ManagementSP800-53-IA-4(7)In-person RegistrationSP800-53-IA-4(8)Pairwise Pseudonymous IdentifiersSP800-53-IA-4(9)Attribute Maintenance and ProtectionSP800-53-IA-5Authenticator ManagementSP800-53-IA-5(1)Password-based AuthenticationSP800-53-IA-5(2)Public Key-based AuthenticationSP800-53-IA-5(3)In-person or Trusted External Party RegistrationSP800-53-IA-5(4)Automated Support for Password Strength DeterminationSP800-53-IA-5(5)Change Authenticators Prior to DeliverySP800-53-IA-5(6)Protection of AuthenticatorsSP800-53-IA-5(7)No Embedded Unencrypted Static AuthenticatorsSP800-53-IA-5(8)Multiple System AccountsSP800-53-IA-5(9)Federated Credential ManagementSP800-53-IA-5(10)Dynamic Credential BindingSP800-53-IA-5(11)Hardware Token-based AuthenticationSP800-53-IA-5(12)Biometric Authentication PerformanceSP800-53-IA-5(13)Expiration of Cached AuthenticatorsSP800-53-IA-5(14)Managing Content of PKI Trust StoresSP800-53-IA-5(15)GSA-approved Products and ServicesSP800-53-IA-5(16)In-person or Trusted External Party Authenticator IssuanceSP800-53-IA-5(17)Presentation Attack Detection for Biometric AuthenticatorsSP800-53-IA-5(18)Password ManagersSP800-53-IA-6Authentication FeedbackSP800-53-IA-7Cryptographic Module AuthenticationSP800-53-IA-8Identification and Authentication (Non-organizational Users)SP800-53-IA-8(1)Acceptance of PIV Credentials from Other AgenciesSP800-53-IA-8(2)Acceptance of External AuthenticatorsSP800-53-IA-8(3)Use of FICAM-approved ProductsSP800-53-IA-8(4)Use of Defined ProfilesSP800-53-IA-8(5)Acceptance of PIV-I CredentialsSP800-53-IA-8(6)DisassociabilitySP800-53-IA-9Service Identification and AuthenticationSP800-53-IA-9(1)Information ExchangeSP800-53-IA-9(2)Transmission of DecisionsSP800-53-IA-10Adaptive AuthenticationSP800-53-IA-11Re-authenticationSP800-53-IA-12Identity ProofingSP800-53-IA-12(1)Supervisor AuthorizationSP800-53-IA-12(2)Identity EvidenceSP800-53-IA-12(3)Identity Evidence Validation and VerificationSP800-53-IA-12(4)In-person Validation and VerificationSP800-53-IA-12(5)Address ConfirmationSP800-53-IA-12(6)Accept Externally-proofed IdentitiesSP800-53-IA-13Identity Providers and Authorization ServersSP800-53-IA-13(1)Protection of Cryptographic KeysSP800-53-IA-13(2)Verification of Identity Assertions and Access TokensSP800-53-IA-13(3)Token Management