The system must request at least one username and password from every actor that tries to authenticate.
Sometimes systems have information and other resources that are not considered public. These resources should be protected by a secure authentication mechanism that prevents unauthorized actors from accessing them. The authentication mechanism should request at least a username and a password.
CWE-306: Missing Authentication for Critical Function The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
HIPAA Security Rules 164.310(a)(2)(iii): Access Control and Validation Procedures: Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
HIPAA Security Rules 164.312(a)(1): Access Control: Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4)
HIPAA Security Rules 164.312(d): Person or Entity Authentication: Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
NIST 800-53 IA-1 - 2 The organization must implement procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls.
OWASP Top 10 A2:2017-Broken Authentication. Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently.
OWASP-ASVS v4.0.1 V1.2 Authentication Architectural Requirements.(1.2.2) Verify that communications between application components, including APIs, middleware and data layers, are authenticated. Components should have the least necessary privileges needed.
OWASP-ASVS v4.0.1 V1.2 Authentication Architectural Requirements.(1.2.3) Verify that the application uses a single vetted authentication mechanism that is known to be secure, can be extended to include strong authentication, and has sufficient logging and monitoring to detect account abuse or breaches.
PCI DSS v3.2.1 - Requirement 6.5.10 Address common coding vulnerabilities in software-development processes such as broken authentication and session management.
PCI DSS v3.2.1 - Requirement 8.1.1 Assign all users a unique ID before allowing them to access system components or cardholder data.
PCI DSS v3.2.1 - Requirement 8.2 In addition to assigning a unique ID, ensure proper user-authentication management for non-consumer users and administrators on all system components by employing at least a password, a passphrase, a token device, a smart card or a biometric to authenticate all users.