The system must invalidate previously generated OTPs when the generation of a new one is triggered.
One-time passwords (OTP) are secrets used during operations that need added security or as part of user enrollment processes. Despite their short lifespan, only one OTP should be valid at any given time, and therefore, all previous OTPs should be invalidated whenever a new one is generated.
CWE-287: Improper Authentication When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
CWE-307: Improper Restriction of Excessive Authentication Attempts The software does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.
OWASP Top 10 A2:2017-Broken Authentication. Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently.
OWASP-ASVS v4.0.1 V2.2 General Authenticator Requirements.(2.2.1) Verify that anti-automation controls are effective at mitigating breached credential testing, brute force, and account lockout attacks. Such controls include blocking the most common breached passwords, soft lockouts, rate limiting, CAPTCHA, ever increasing delays between attempts, IP address restrictions, or risk-based restrictions such as location, first login on a device, recent attempts to unlock the account, or similar. Verify that no more than 100 failed attempts per hour is possible on a single account.
OWASP-ASVS v4.0.1 V2.6 Look-up Secret Verifier Requirements.(2.6.1) Verify that lookup secrets can be used only once.
OWASP-ASVS v4.0.1 V2.8 Single or Multi Factor One Time Verifier Requirements.(2.8.4) Verify that time-based OTPs can be used only once within the validity period.
OWASP-ASVS v4.0.1 V3.2 Session Binding Requirements.(3.2.1) Verify the application generates a new session token on user authentication.
PCI DSS v3.2.1 - Requirement 6.5.10 Address common coding vulnerabilities in software-development processes such as broken authentication and session management.