Summary

One-time passwords (OTP) must have a maximum lifespan of 60 seconds.

Description

OTPs are tokens that help hinder phishing (impersonation) attacks. They should be generated using secure cryptographic algorithms, be sent over a protected channel and have a short lifespan that considers network delay and entry time. Furthermore, it should only be possible to use them once within their validity period.

Supported In

This requirement is verified in following services

References

• NIST 800-63B-5_1_4_2. Single-factor OTP verifiers
• OWASP TOP 10-A7. Identification and authentication failures
• SANS 25-13. Improper authentication
• CMMC-IA_L2-3_5_5. Identifier reuse
• ISA/IEC 62443-CR-1_7-RE_2. Password lifetime restrictions for all users
• NIST 800-171-5_2. Authenticate or verify the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems
• CWE TOP 25-287. Improper authentication
• OWASP ASVS-2_2_6. General authenticator security
• OWASP ASVS-2_5_6. Credential recovery
• OWASP ASVS-2_8_1. One time verifier
• PCI DSS-8_3_5. Initial or reset password or passphrase used by authorized user
• SIG Core-U_1_9_13. Server security
• Resolution SB 2021 2126-Art_30_8. Security in Electronic Channels - Digital Banking

Vulnerabilities

• 401.Insecure service configuration - AKV Secret Expiration
• 403.Insecure service configuration - usesCleartextTraffic

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.