R237. Ascertain human interaction
The system must guarantee that the registration, authentication and password recovery actions are performed by a human. This can be achieved using CAPTCHA or incremental delays.
Authentication forms are susceptible to several attacks usually performed by robots or automated tools. In order to hinder the effectiveness of these attacks, the system must implement mechanisms that help ensure that the entity with which it is interacting is a human being.
CWE-287: Improper Authentication When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
CWE-307: Improper Restriction of Excessive Authentication Attempts The software does not implement sufficient measures to prevent multiple failed authentication attempts within in a short time frame, making it more susceptible to brute force attacks.
CWE-799: Improper Control of Interaction Frequency The software does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.
CWE-804: Guessable CAPTCHA The software uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor.
OWASP-ASVS v4.0.1 V1.2 Authentication Architectural Requirements.(1.2.4) Verify that all authentication pathways and identity management APIs implement consistent authentication security control strength, such that there are no weaker alternatives per the risk of the application.
OWASP-ASVS v4.0.1 V2.2 General Authenticator Requirements.(2.2.1) Verify that anti-automation controls are effective at mitigating breached credential testing, brute force, and account lockout attacks. Such controls include blocking the most common breached passwords, soft lockouts, rate limiting, CAPTCHA, ever increasing delays between attempts, IP address restrictions, or risk-based restrictions such as location, first login on a device, recent attempts to unlock the account, or similar. Verify that no more than 100 failed attempts per hour is possible on a single account.