Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - IA.L2-3.5.11 â Obscure feedback of authentication information.
Understanding the Requirement
This control requires that any feedback presented to users during authentication hides the actual authentication information so observers cannot read or capture it. In practice, that means passwords and other secrets must be obscured (for example, showing dots or asterisks instead of characters) on workstations, mobile devices, and other endpoints used to access company systems. The objective is simple: authentication information is obscured during the authentication process to reduce the risk of shoulder-surfing or accidental exposure, consistent with the NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 framework.
Technical Implementation
-
Enforce masked input on user-facing authentication fields: Configure web and desktop applications to use secure password input controls (e.g., HTML input type="password", native password fields) so characters are not displayed. Review custom forms and third-party SaaS login pages used by staff to ensure masking is enabled.
-
Disable password echoing in command-line and remote sessions: For SSH, local consoles, and administrative shells, ensure password prompts do not echo typed characters. Verify common tools (sudo, su, remote administration tools) are configured to suppress visible input and update configurations where necessary.
-
Apply MDM/EMM policies for mobile devices: Use your mobile device management solution to enforce use of managed browsers and apps that obscure credentials. Block or restrict apps that expose typed passwords in cleartext or allow screen overlays that could capture input.
-
Prevent storage or display of credentials in logs and UIs: Review application logging and diagnostic dumps to ensure authentication data is never logged. Configure applications and services to redact or hash any sensitive fields displayed in admin interfaces, error messages, or audit logs.
-
Test and verify across platforms: Create a simple checklist to test workstation OS versions, browsers, mobile OS, remote desktop clients, and custom apps. Include manual observation (shoulder-surf test) and automated scans where possible to confirm input masking is active and consistent.
-
Document policy and train staff: Add a brief policy stating that credentials must never be displayed and include it in onboarding: admins and developers should understand secure input controls and the requirement to avoid UI patterns that reveal secrets (e.g., âshow passwordâ toggles should be disabled by default or require explicit risk acceptance).
Example in a Small or Medium Business
The IT lead at a 40-person engineering firm audits login flows after a security review flagged potential exposure on tablets used in the field. She updates the companyâs MDM to require managed browsers and pushes a configuration profile that enforces native password fields and disables screen overlays on company phones. The desktop team verifies that the internal helpdesk portal and the time-tracking web app use masked password inputs and adjusts a custom-built ticketing form that had previously echoed characters. For remote administration, the network administrator confirms SSH and RDP clients do not echo passwords, and they disable an old remote tool that displayed credentials in cleartext during reconnection. They add a short procedure for developers to test input masking before deploying updates, and the HR manager includes a one-page reminder in employee security training about shielding keyboards in public and not sharing screens when authenticating. Finally, the IT lead runs a simple checklist quarterly to validate that masking remains enabled after software updates and documents findings for the organizationâs compliance folder.
Summary
Obscuring authentication feedback is a low-cost, high-impact control: combining policy, simple configuration changes, MDM enforcement, and periodic testing ensures passwords and other secrets are not visible to observers or captured in logs. For SMBs this typically means enabling native password fields in apps, disabling echoing in consoles and remote tools, enforcing managed apps on mobile devices, and training staffâtogether these measures meet the IA.L2-3.5.11 requirement and materially reduce the risk of credential exposure.
