The concurrent sessions of a system must be informed or controlled.
A system that uses authenticated access sessions associated with unique users may allow simultaneous access with the same credentials. This can pose a risk for the service, the information and the system users, by allowing malicious users to interact simultaneously with the system using a valid user, thus leading to undetected identity thefts, unauthorized actions in name of the user (impersonation) and a loss of traceability of the impersonated users actions.
This requirement is verified in following services
- CAPEC™-227. Sustained client engagement
- NIST 800-63B-7_1. Session bindings
- OWASP TOP 10-A7. Identification and authentication failures
- NIST Framework-PR_AC-1. Identities and credentials are issued, managed, verified, revoked and audited for authorized devices, users and processes
- NYDFS-500_10. Cybersecurity personnel and intelligence
- MITRE ATT&CK®-M1018. User account management
- MITRE ATT&CK®-M1026. Privileged account management
- PA-DSS-10_2_3. Remote access to customer's payment applications must be implemented securely
- PDPO-6_31. Matching procedure request
- CMMC-SC_L2-3_13_7. Split tunneling
- FedRAMP-AC-10. Concurrent session control
- FedRAMP-IA-5_8. Authenticator management - Multiple information system accounts
- ISA/IEC 62443-UC-2_7. Concurrent session control
- WASSEC-3_1. Session management capabilities
- WASSEC-4_1_5. Supporting concurrent sessions
- OWASP SCP-3. Authentication and password management
- OWASP SCP-4. Session management
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.