Users provide sufficient evidence to verify their identity when requesting an account unlock.
Topic
Account unlocks
Applicable to
all
History
Priority
must
Mar 2022
Removed
The recommendation for users to provide sufficient evidence to verify their identity when requesting an account unlock was rescinded as it provided little security benefit. For example, if a locked account was unlocked by a service desk member the user would still need to know their original credentials in order to logon again. In cases where new credentials were required, such activities would fall under the scope of recommendations for verifying a user’s identity before issuing new credentials (ISM-1593). Note, any repeated lockouts of an account (which could indicate a password guessing attack taking place) is captured by the monitoring of account lockout events (i.e. event ID 4740) under ISM-0582.
Aug 2020
Users provide sufficient evidence to verify their identity when requesting an account unlock.
Security control 0976 was amended to focus on account unlocks.
Jul 2020
Users provide sufficient evidence to verify their identity when requesting a password/passphrase reset.
Oct 2019
Users provide sufficient evidence to verify their identity when requesting a password/passphrase reset.
Security controls 0976 and 1227 were modified slightly.
Sep 2019
Users provide sufficient evidence to verify their identity when requesting a passphrase reset.
2015
Agencies must ensure users provide sufficient evidence to verify their identity whenrequesting a passphrase reset for their system account.
2010
Agencies must ensure system users provide sufficient evidence to verify their identity when requesting apassword reset for their system account.