IA.L2-3.5.11: Obscure Feedback of Authentication Information
Authentication systems must never leak information about valid users, failed attempts, or system details through error messages. IA.L2-3.5.11 requires you to obscure feedback so attackers can't enumerate accounts or gain reconnaissance advantage. This control is foundational to preventing credential stuffing, brute force attacks, and social engineering.
What this means
Obscuring authentication feedback means your system must not reveal whether a username exists, whether a password is incorrect, or any details about your authentication infrastructure through login error messages, response times, or system behavior. Generic messages like 'Authentication failed' protect against attackers who probe for valid accounts and system weaknesses.
How to comply
- 1.Review all authentication system error messages and replace specific feedback (e.g., 'Username not found' or 'Password incorrect') with generic messages like 'Invalid credentials'
- 2.Ensure login response times are consistent regardless of whether the username exists or password is wrong, preventing timing-based account enumeration
- 3.Remove system information from error pages, logs visible to users, and HTTP headers that reveal server type or version
- 4.Test authentication interfaces for information leakage through account lockout messages, password reset flows, and account recovery mechanisms
- 5.Implement logging internally that tracks authentication events in detail, while users see only obscured messages
- 6.Document your obscured authentication feedback policy and train development teams on secure error handling
Evidence auditors look for
- Screenshots of login form error messages showing generic 'Invalid credentials' text without distinguishing between bad username or password
- Code review documentation showing implementation of generic error handling in authentication modules
- Configuration files or security policies defining approved authentication error messages
- Test results showing consistent response times for failed authentication attempts
- Internal audit logs that track authentication events while user-facing messages remain obscured
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates detection of information leakage in your authentication systems by analyzing error messages, response patterns, and logs—flagging configurations that violate IA.L2-3.5.11 before auditors find them.
See how GRCWatch handles this control automatically
Start free trial