R140. Define OTP lifespan


One-time passwords (OTP) must have a maximum lifespan of 60 seconds.


*OTP*s are tokens that help hinder phishing (impersonation) attacks. They should be generated using secure cryptographic algorithms, be sent over a protected channel and have a short lifespan that considers network delay and entry time. Furthermore, it should only be possible to use them once within their validity period.


  1. CWE-287: Improper Authentication When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

  2. CWE-326: Inadequate Encryption Strength The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

  3. CWE-613: Insufficient Session Expiration. Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.

  4. NIST 800-63B Single-Factor OTP Verifiers Time-based OTPs SHALL have a defined lifetime that is determined by the expected clock drift — in either direction — of the authenticator over its lifetime.

  5. NIST 800-63B Single-Factor OTP Verifiers The verifier SHALL use approved encryption and an authenticated protected channel when collecting the OTP in order to provide resistance to eavesdropping and MitM attacks.

  6. NIST 800-63B Single-Factor OTP Verifiers In order to provide replay resistance as described in Section 5.2.8, verifiers SHALL accept a given time-based OTP only once during the validity period.

  7. OWASP Top 10 A2:2017-Broken Authentication. Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently.

  8. OWASP-ASVS v4.0.1 V2.8 Single or Multi Factor One Time Verifier Requirements.(2.8.1) Verify that time-based *OTP*s have a defined lifetime before expiring.

  9. OWASP-ASVS v4.0.1 V2.8 Single or Multi Factor One Time Verifier Requirements.(2.8.3) Verify that approved cryptographic algorithms are used in the generation, seeding, and verification.

  10. OWASP-ASVS v4.0.1 V2.8 Single or Multi Factor One Time Verifier Requirements.(2.8.4) Verify that time-based *OTP*s can be used only once within the validity period.

  11. PCI DSS v3.2.1 - Requirement 6.5.10 Address common coding vulnerabilities in software-development processes such as broken authentication and session management.

Service status - Terms of Use - Privacy Policy - Cookie Policy

Copyright © 2021 Fluid Attacks, We hack your software. All rights reserved.