Young hacker smiling

We hack your software

zero false positives

Expert intelligence + effective automation

REQ.141 Force re authentication

This document contains the details of the security requirements related to the definition and management of access credentials in the organization. This requirement establishes the importance of force user re authentication when performing critical operations with sensitive data.

Requirement

System must force users to re authenticate or invalidate the system session once changed the user state (password changing/recovery, lockouts, user deletion, etc)

References

  1. OWASP-ASVS v3.1-2.26 Verify that sensitive operations (e.g. change password, change email address, add new biller, etc.) require re-authentication (e.g. password or 2FA token). This is in addition to CSRF measures, not instead.

  2. NIST 800-53 IA-11 Re-authentication: The organization requires users and devices to re-authenticate when [Assignment: organization-defined circumstances or situations requiring re-authentication].


Service status - Terms of Use