Identification and Authentication 3.5.11 (3.5.11)

Obscure feedback of authentication information

Get Full Guidance

What Is This CMMC Control?

This control requires systems to hide authentication information (like passwords) when users enter them, preventing unauthorized individuals from seeing sensitive credentials. Common implementations include displaying asterisks or dots instead of actual characters, or briefly showing characters before obscuring them. The level of obscuring should match the risk - larger screens need stronger protection against shoulder surfing, while mobile devices may balance obscuring with usability due to small keyboards.

Control Intent

Prevent unauthorized individuals from obtaining authentication credentials by observing authentication information displayed on system screens during the authentication process.

Who This Control Applies To

  • All systems and applications that require user authentication
  • Desktop computers and workstations
  • Laptop and notebook computers
  • Mobile devices (smartphones, tablets)
  • Kiosks and public-access terminals
  • Remote access systems and VPNs
  • Web applications requiring login
  • Database management systems
  • Cloud service portals
  • Administrative consoles
  • Physical access control systems with PIN entry

Not Applicable When

  • Systems that use only biometric authentication without password entry
  • Systems that use only hardware tokens without PIN or password entry
  • Fully automated systems with no interactive authentication
  • Systems physically isolated in secure facilities with no unauthorized personnel access and documented risk acceptance
  • Authentication mechanisms that do not display any feedback (e.g., some embedded systems)

Key Objectives

  • 1Prevent visual observation of authentication credentials during entry by unauthorized individuals
  • 2Implement feedback mechanisms that obscure authentication information appropriate to the system type and threat environment
  • 3Balance security requirements with usability considerations based on device characteristics and operational context

Sample Self-Assessment Questions (Partial)

Do your systems display asterisks, dots, or other masking characters when users enter passwords?

Can you see the actual password characters on screen when logging into your systems?

Implementation Approaches (High-Level)

Operating System Default Password Masking

Rely on built-in operating system and application password masking that displays asterisks or dots for password fields

Web Application Password Field Masking

Configure web applications and portals to use proper HTML password input types and ensure no JavaScript or custom code reveals passwords

Mobile Application Authentication Masking

Implement authentication feedback obscuring in mobile applications with brief character preview followed by masking, balancing security with usability on small screens

Terminal and Command-Line Interface Masking

Configure terminal sessions, SSH clients, and command-line tools to suppress password echo or display asterisks during password entry

Remote Desktop and Screen Sharing Controls

Implement controls to obscure authentication feedback during remote desktop sessions and screen sharing, preventing password exposure to remote viewers or recordings

Kiosk and Shared Workstation Hardening

Implement enhanced authentication feedback obscuring and physical controls for kiosks and shared workstations in high-traffic or public areas

Evidence & Assessment Notes

Expected Evidence

Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.

Plan of Action & Milestones (POA&M)

For legacy systems that cannot obscure authentication feedback, document risk assessment and implement compensating controls such as physical security, limited access, or system replacement timeline If custom applications lack password masking, prioritize remediation based on system criticality and exposure risk, with high-traffic or public-facing systems addressed first For systems where password masking cannot be implemented due to technical limitations, consider alternative authentication methods (biometrics, hardware tokens, SSO) to reduce password entry frequency Document interim controls for systems awaiting remediation, such as privacy screens, physical access restrictions, or enhanced monitoring Establish testing procedures to verify password masking after system updates or changes to prevent regression For mobile applications, if brief character preview is deemed too risky for specific use cases, document risk acceptance or implement stricter masking with user training to address usability concerns If remote access tools cannot adequately protect authentication feedback, implement procedural controls requiring users to disable screen sharing during password entry For systems in public areas, combine technical controls with physical security measures and document the layered approach

Related CMMC Controls

3.5.13.5.23.5.73.5.83.5.103.13.13.13.8

Frequently Asked Questions

Does this control require passwords to be completely invisible, or can they be briefly shown before being masked?

The control allows for brief display of characters before masking, particularly on mobile devices where small keyboards make typing errors more likely. The key requirement is that feedback must be obscured sufficiently to prevent unauthorized individuals from compromising authentication. Brief character preview (typically 1 second or less) on mobile devices is acceptable and balances security with usability.

Do 'show password' toggle buttons in applications violate this control?

Show password toggles do not inherently violate this control if they are implemented securely. The toggle must require deliberate user action, provide clear visual indication when active, and automatically revert to masked state when appropriate (e.g., when the application loses focus). The control aims to prevent unauthorized observation, not to prohibit users from viewing their own passwords when needed.

How does this control apply to remote desktop or screen sharing sessions?

When using remote desktop or screen sharing, authentication feedback must be obscured from both local and remote viewers. This can be achieved through Network Level Authentication (which authenticates before the session is established), configuring tools to pause sharing during authentication, or using credential delegation methods that don't display passwords. Organizations must ensure passwords aren't visible to remote viewers or in session recordings.

Are there any exceptions for systems in secure facilities where only authorized personnel have access?

While physical security can reduce the risk of shoulder surfing, the control still applies unless there is a documented risk assessment and acceptance. Systems in secure facilities should still implement password masking as the default, but organizations may accept residual risk for specific systems where technical implementation is not feasible and physical security provides adequate compensating controls.

What should we do if a legacy system cannot obscure authentication feedback?

Legacy systems that cannot obscure authentication feedback require a documented risk assessment and compensating controls. Options include: implementing physical controls (privacy screens, restricted access), reducing password entry frequency through SSO or alternative authentication, enhanced monitoring, or establishing a timeline for system replacement or upgrade. The inability to obscure feedback should be documented in a POA&M with a remediation plan.

How is this control verified during a CMMC assessment?

Assessors will observe authentication processes across a representative sample of systems, including workstations, servers, mobile devices, and web applications. They will verify that passwords are masked during entry, review configuration documentation, and may test whether masking can be disabled by regular users. Assessors will also examine custom applications, remote access tools, and systems in public areas to ensure comprehensive implementation.

How ConformatIQ Helps With CMMC Readiness

ConformatIQ is an AI-assisted CMMC readiness platform designed to help organizations prepare for assessments more efficiently. The platform supports document generation such as SSPs and POA&Ms, guided readiness workflows, centralized evidence tracking, and interview preparation for assessments.

Learn More About ConformatIQ

Ready to Get Full Guidance?

Access complete implementation details, detailed assessment questions, evidence requirements, and expert guidance for this control.

Request Full Guidance

Information sourced from NIST SP 800-171 Rev. 2. See full disclaimer.