Authentication
Use of indistinguishable response time
Summary Response time of authentication probes should be indistinguishable whether an user exists or not. Description This requirement aims to ensure that, regardless of the input or conditions, the response time of a system remains ...
Assign MFA mechanisms to a single account
Summary The system must associate each secondary authentication mechanism with a single account. Description Single-factor authentication mechanisms often offer poor security due to the weak, common or easy-to-guess passwords that users tend to set. ...
Define out of band token lifespan
Summary The system must expire out of band authentication requests, codes or tokens after 10 minutes and should only allow them to be used once within this period. Description Secure out of band authenticators are physical devices that can ...
Avoid knowledge-based authentication
Summary Password hints and knowledge-based authentication, such as secret questions, should not be enabled. Description Password hints often offer enough information for an attacker to guess a users password. Answers to secret questions are sometimes ...
Request MFA for critical systems
Summary The system must encrypt and verify client-side session information (ViewState). Description ViewState contains information about the state of the user interface and controls on a web page. If left unverified, an attacker could tamper the ...
Make authentication options equally secure
Summary All of the systems authentication pathways and identity management APIs must be equally secure. Description Some systems offer more than one option to authenticate their users or verify their identity. All of these options must have the same ...
Request authentication
Summary The system must require authentication for all resources, except for the consultation or visualization of those specifically classified as public. Description Sometimes systems have information and other resources that are not considered ...
Establish safe recovery
Summary The system must guarantee that the person performing the password recovery or reset process is actually the owner. Description Systems must have mechanisms that enable users to update and recover their passwords while guaranteeing the ...
Ascertain human interaction
Summary The system must guarantee that user actions are performed by a human (e.g., registration, authentication and password recovery). This can be achieved using CAPTCHA, incremental delays or mechanisms that prevent excessive crawling and ...
Establish authentication time
Summary The authentication process must have a defined time limit of 30 seconds. Description A time limit helps to reduce the exposure of sensitive authentication information to potential attackers. For example, if an authentication session is open ...
Define credential interface
Summary The authentication must have a separate interface for on-screen credentials input. Description This requirements suggests that there should be a separated user interface element for users to input their authentication credentials. The ...
Require equipment identity
Summary A system with critical information must require the identification of the equipment from which a user or system is authenticated. Description The requirement includes capturing information about the device used for access that can be used to ...
Implement a biometric verification component
Summary Systems with critical information must implement a component for biometric verification during the authentication process. Description Biometric authentication relies on the unique biological characteristics of an individual and serves as an ...
Request access credentials
Summary The system must request at least one username and password from every actor that tries to authenticate. Description Sometimes systems have information and other resources that are not considered public. These resources should be protected by ...
Authenticate using standard protocols
Summary The organization must implement the Single Sign On (SSO) process using standard protocols (e.g., SAML). Description When SSO is enabled, centralized control over user authentication and authorization is possible. The Identity Provider becomes ...
Display access notification
Summary The system must notify, upon any access attempt, that access to the system is only available for authorized users. Description Sometimes systems have information and other resources that are not considered public. These resources should be ...
Avoid account lockouts
Summary The system must never block a user account after one or several failed authentication attempts. Description Account blocking is a double-edged sword if an attacker is trying to guess an account password and if it is blocked on the third ...
Proper authentication responses
Summary System responses to authentication failures must not indicate which part of the authentication was incorrect. Description Authentication forms are one of the most publicly accessible parts of an application, which makes them more susceptible ...
Out of band transactions
Summary The system must offer secure out of band authenticators, such as push notifications. Clear text options such as SMS, mailing or PSTN may be offered but should not be the default option. Description Secure out of band authenticators are ...
Validate credential ownership
Summary The system must validate that the given credentials (email, phone number, etc.) actually belong to the user that claimed ownership of them. Description The requirement to validate that given credentials belong to the user claiming ownership ...