Are user’s ID authorized before being issued, prevented from reuse, and disabled when no longer needed within a predetermined timeframe based on account type?
Are passwords and PINs masked (prevented from being seen) during entry?
Does the application ensure that all users are uniquely identified and authenticated?
Does the application’s password management include: ensuring adequate password selection and composition, require periodic change of password, establish minimum and maximum lifetime restrictions and reuse conditions, change of default passwords, maintained on the vendor’s servers?