= digital authentication = Establish confidence in user ID in an electronic system == requirements == * ID system users, process, etc * Authenticate the ID of those users, processes etc Derived requirements from this, * use multi factor authentication * be replay resistant * prevent reuse of IDs for a defined period * disable ID after some period of inactivity * enforce a minimum complexity for passwords * prohibit passwords for a specific amount of time * store and transmit only cryptographically protected passwords * Obscure feedback from authentication * IE don't say "wrong password" or "user does not exist" == means of authentication == * password/pin * physical token (IE smart card) * static biometrics (IE finger/face)