User access controls and software update integrity from existing design input requirements — authentication extends these into a comprehensive cryptographic framework covering all communication pathways.
FDA Appendix 1.A requires cryptographically strong authentication for all device communication pathways, hardware-backed security where possible, MFA for privileged access, anti-replay for critical commands, and explicit prohibition of default or hardcoded credentials.
Authenticated firmware update paths, elimination of default credentials, and mutual authentication of external connections — missing authentication for device-to-server or device-to-device links is a common deficiency finding.
Maps to
FDA Cybersecurity: §Appendix 1.A Authentication
Requirement text
FDA's Premarket Cybersecurity Guidance (current edition February 3, 2026) recommends that medical device manufacturers implement authentication controls for both information and entities throughout the device system. Devices should verify the authenticity of information from external entities and prove the authenticity of information they generate. Authentication should cover information at rest, information in transit, communication endpoints, software binaries, and the execution state of running software. FDA recommends the use of cryptographically strong authentication where the authentication functionality resides on the device.
Why this clause exists
Authentication is a foundational security control because a device that cannot verify the identity of communicating entities or the integrity of received information cannot reliably distinguish authorized commands from malicious ones. FDA guidance Appendix 1.A identifies authentication as covering two distinct objectives: authentication of information (proving data originated from a known trusted source and was not altered) and authentication of entities (proving the identity of communication endpoints). Regulators found that many premarket submissions described authentication only for end users at the user interface, leaving device-to-device and device-to-server communications — including implanted device programmer links and insulin pump control channels — without authentication controls. The specific call-out of hardware-based security solutions reflects FDA's recognition that software-only authentication can be circumvented by an attacker who has gained OS-level access, whereas hardware-backed authentication (e.g., TPM, secure enclaves) provides authentication guarantees even under partial software compromise. The explicit prohibition on hardcoded, default, and easily guessed passwords reflects the documented patient-safety impact of medical device compromises that exploited unchanged default credentials.
What changed
FDA's September 2023 final guidance (updated February 2026) established detailed, enforceable recommendations for device authentication controls backed by Section 524B of the FD&C Act. Prior to 2023, authentication requirements were voluntary best practices from the 2014 draft guidance. Appendix 1.A of the current guidance specifies the full scope of authentication: covering both information and entity authentication, requiring hardware-backed solutions where possible, mandating multi-factor authentication for privileged access, and explicitly prohibiting hardcoded or default passwords. The anti-replay requirement for critical communications reflects post-2023 analysis of medical device attack vectors. FDA's Refuse to Accept (RTA) process now flags submissions lacking adequate authentication controls.
Common gaps (what we see in audits)
- Authentication limited to user login without covering device-to-device and update pathways — Many premarket submissions describe authentication only at the user interface, omitting authentication for device-to-server communications, firmware update acceptance, and data telemetry integrity. FDA Appendix 1.A requires authentication for all communication pathways including software/firmware updates, external server connections, and output data whose tampering could cause patient harm.