The system must offer secure out of band authenticators, such as push notifications. Clear text options such as SMS, mailing or PSTN may be offered but should not be the default option.
Secure out of band authenticators are physical devices that can communicate with an authentication verifier over a secure secondary channel. They serve as an additional security measure for identity assertion during authentication processes or sensitive transactions. Systems should offer at least one out of band authenticator and the default option should not be a clear text one.
CWE-287: Improper Authentication: When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
CWE-319: Cleartext Transmission of Sensitive Information: The software transmits sensitive or security-critical data in clear text in a communication channel that can be sniffed by unauthorized actors.
CWE-523: Unprotected Transport of Credentials: Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.
OWASP Top 10 A2:2017-Broken Authentication: Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently.
OWASP-ASVS v4.0.1 V2.7 Out of Band Verifier Requirements.(2.7.1): Verify that clear text out of band (NIST "restricted") authenticators, such as SMS or PSTN, are not offered by default, and stronger alternatives such as push notifications are offered first.
OWASP-ASVS v4.0.1 V2.7 Out of Band Verifier Requirements.(2.7.4): Verify that the out of band authenticator and verifier communicates over a secure independent channel.
PCI DSS v3.2.1 - Requirement 6.5.10: Address common coding vulnerabilities in software-development processes such as broken authentication and session management.