Control: The organisation requires that individuals accessing the information system employ [Assignment: organisation-defined supplemental authentication techniques or mechanisms] under specific [Assignment: organisation-defined circumstances or situations].
Adaptive Identification and Authentication Supplemental Guidance:
Adversaries may compromise individual authentication mechanisms and subsequently attempt to impersonate legitimate users. This situation can potentially occur with any authentication mechanisms employed by organisations. To address this threat, organisations may employ specific techniques/mechanisms and establish protocols to assess suspicious behaviour (e.g., individuals accessing information that they do not typically access as part of their normal duties, roles, or responsibilities, accessing greater quantities of information than the individuals would routinely access, or attempting to access information from suspicious network addresses). In these situations when certain pre-established conditions or triggers occur, organisations can require selected individuals to provide additional authentication information. Another potential use for adaptive identification and authentication is to increase the strength of mechanism based on the number and/or types of records being accessed.