One-time passwords (OTP) must have a maximum lifespan of 60 seconds.
OTPs are tokens that help hinder phishing (impersonation) attacks. They should be generated using secure cryptographic algorithms, be sent over a protected channel and have a short lifespan that considers network delay and entry time. Furthermore, it should only be possible to use them once within their validity period.
This requirement is verified in following services
- NIST 800-63B-5_1_4_2. Single-factor OTP verifiers
- OWASP TOP 10-A7. Identification and authentication failures
- SANS 25-14. Improper Authentication
- CMMC-IA_L2-3_5_5. Identifier reuse
- ISA/IEC 62443-CR-1_7-RE_2. Password lifetime restrictions for all users
- NIST 800-171-5_2. Authenticate or verify the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems
- CWE TOP 25-287. Improper authentication
- OWASP ASVS-2_2_6. General authenticator security
- OWASP ASVS-2_5_6. Credential recovery
- OWASP ASVS-2_8_1. One time verifier
- PCI DSS-8_3_5. Initial or reset password or passphrase used by authorized user
- SIG Core-U_1_9_13. Server security
- Resolution SB 2021 2126-Art_30_8. Security in Electronic Channels - Digital Banking
- 401. Insecure service configuration - AKV Secret Expiration
- 403. Insecure service configuration - usesCleartextTraffic
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.