The system must validate that the given credentials (email, phone number, etc.) actually belong to the user that claimed ownership of them.
CWE-345: Insufficient Verification of Data Authenticity The software does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
CWE-602: Client-Side Enforcement of Server-Side Security The software is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.
GDPR. Recital 64: Identity verification. The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers.
OWASP-ASVS v4.0.1 V1.4 Access Control Architectural Requirements.(1.4.1) Verify that trusted enforcement points such as at access control gateways, servers, and serverless functions enforce access controls. Never enforce access controls on the client.
OWASP-ASVS v4.0.1 V2.5 Credential Recovery Requirements.(2.5.7) Verify that if OTP or multi-factor authentication factors are lost, that evidence of identity proofing is performed at the same level as during enrollment.