Network logins can't be captured and replayed by an attacker.
What it actually means
Authentication over the network must resist replay attacks — where someone captures a login exchange and re-sends it. Modern protocols handle this for you: Kerberos, modern TLS-based authentication, and FIDO2 are replay-resistant. The work is usually confirming you're not relying on something legacy.
Pass or fail — an assessor needs a "yes" to each
- Network authentication uses replay-resistant protocols (Kerberos / modern TLS / FIDO2).
- Legacy, replayable mechanisms are disabled.
What to have ready
- Identity-provider / protocol configuration
- Confirmation that legacy auth is disabled
Where teams trip up
- Legacy authentication left enabled in Entra/AD
- Assuming replay resistance without checking the protocols in use
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →