R153. Out of band transactions

Requirement

The system must offer secure out of band authenticators, such as push notifications. Clear text options such as SMS, mailing or PSTN may be offered but should not be the default option.

Description

Secure out of band authenticators are physical devices that can communicate with an authentication verifier over a secure secondary channel. They serve as an additional security measure for identity assertion during authentication processes or sensitive transactions. Systems should offer at least one out of band authenticator and the default option should not be a clear text one.

References

  1. CWE-287: Improper Authentication When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

  2. CWE-319: Cleartext Transmission of Sensitive Information The software transmits sensitive or security-critical data in clear text in a communication channel that can be sniffed by unauthorized actors.

  3. CWE-523: Unprotected Transport of Credentials Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.

  4. OWASP-ASVS v4.0.1 V2.7 Out of Band Verifier Requirements.(2.7.1) Verify that clear text out of band (NIST "restricted") authenticators, such as SMS or PSTN, are not offered by default, and stronger alternatives such as push notifications are offered first.

  5. OWASP-ASVS v4.0.1 V2.7 Out of Band Verifier Requirements.(2.7.4) Verify that the out of band authenticator and verifier communicates over a secure independent channel.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy