The system must guarantee that the person performing the password recovery or reset process is actually the owner.
Systems must have mechanisms that enable users to update and recover their passwords while guaranteeing the authenticity of the request. In the case of a password update, the system must request both the new and the old passwords. If the user wants to recover a lost or forgotten password, the system must ascertain the user's ownership of the corresponding account.
CWE-345: Insufficient Verification of Data Authenticity: The software does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
CWE-602: Client-Side Enforcement of Server-Side Security: The software is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.
CWE-620: Unverified Password Change: When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication.
CWE-640: Weak Password Recovery Mechanism for Forgotten Password: The software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
OWASP Top 10 A2:2017-Broken Authentication: Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently.
OWASP-ASVS v4.0.1 V1.4 Access Control Architectural Requirements.(1.4.1): Verify that trusted enforcement points such as at access control gateways, servers, and serverless functions enforce access controls. Never enforce access controls on the client.
OWASP-ASVS v4.0.1 V2.1 Password Security Requirements.(2.1.6): Verify that password change functionality requires the user's current and new password.
OWASP-ASVS v4.0.1 V2.5 Credential Recovery Requirements.(2.5.6): Verify forgotten password, and other recovery paths use a secure recovery mechanism, such as TOTP or other soft token, mobile push, or another offline recovery mechanism.
OWASP-ASVS v4.0.1 V4.1 General Access Control Design.(4.1.1): Verify that the application enforces access control rules on a trusted service layer, especially if client-side access control is present and could be bypassed.
PCI DSS v3.2.1 - Requirement 6.5.10: Address common coding vulnerabilities in software-development processes such as broken authentication and session management.
PCI DSS v3.2.1 - Requirement 8.2.2: Verify user identity before modifying any authentication credential. For example, performing password resets, provisioning new tokens, or generating new keys.