Out of Band Verifier
V2.7.1
Verify that clear text out of band (NIST "restricted") authenticators, such as SMS or PSTN, are not offered by default, and stronger alternatives such as push notifications are offered first.
Level 1 required: True
Level 2 required: True
Level 3 required: True
CWE: 287
V2.7.2
Verify that the out of band verifier expires out of band authentication requests, codes, or tokens after 10 minutes.
Level 1 required: True
Level 2 required: True
Level 3 required: True
CWE: 287
V2.7.3
Verify that the out of band verifier authentication requests, codes, or tokens are only usable once, and only for the original authentication request.
Level 1 required: True
Level 2 required: True
Level 3 required: True
CWE: 287
V2.7.4
Verify that the out of band authenticator and verifier communicates over a secure independent channel.
Level 1 required: True
Level 2 required: True
Level 3 required: True
CWE: 523
V2.7.5
Verify that the out of band verifier retains only a hashed version of the authentication code.
Level 1 required: False
Level 2 required: True
Level 3 required: True
CWE: 256
V2.7.6
Verify that the initial authentication code is generated by a secure random number generator, containing at least 20 bits of entropy (typically a six digital random number is sufficient).
Level 1 required: False
Level 2 required: True
Level 3 required: True
CWE: 310
Disclaimer:
Credit via OWASP ASVS. For more information visit The OWASP ASVS Project or Github respository.. OWASP ASVS is under the Creative Commons Attribution-Share Alike v3.0 license.
