03.05.11 —
What this control requires
Source: NIST SP 800-171 R3 §03.05.11 (official control text).
Why this matters
Authentication feedback controls prevent unauthorized observers from capturing credentials during the login process. When users enter passwords or PINs, visible characters create opportunities for 'shoulder surfing' attacks where nearby individuals can view and memorize authentication secrets. This control requires systems to obscure authenticator input—typically by masking characters with asterisks or dots, or displaying them briefly before hiding. The risk varies by context: large desktop monitors in open offices present higher exposure than mobile devices with small screens. Protecting authentication feedback prevents credential theft in physical spaces, remote work environments, and public locations where visual observation is possible.
What evidence assessors expect
Assessors typically look for: screenshot, configuration export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on 03.05.11.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →