Define out of band token lifespan

Summary

The system must expire out of band authentication requests, codes or tokens after 10 minutes and should only allow them to be used once within this period.

Description

Secure out of band authenticators are physical devices that can communicate with an authentication verifier over a secure secondary channel. They serve as an additional security measure for identity assertion during authentication processes or sensitive transactions. Systems should expire out of band tokens after 10 minutes and allow them to be used only once within this period to prevent replay attacks.

Supported In

This requirement is verified in following services

Plan	Supported
Machine	🔴
Squad	🟢

References

• CWE™-294. Authentication bypass by capture-replay
• NIST 800-63B-5_1_3_2. Out-of-band verifiers
• OWASP TOP 10-A7. Identification and authentication failures
• OWASP-M TOP 10-M4. Insecure authentication
• PA-DSS-1_1_1. Do not store full contents of any track from the magnetic stripe
• PA-DSS-1_1_2. Do not store the card verification value or code used to verify transactions
• PA-DSS-1_1_4. Securely delete any track data, card verification values or codes, and PINs or PIN block data stored by application in accordance with industry-accepted standards
• SANS 25-14. Improper Authentication
• CMMC-IA_L2-3_5_5. Identifier reuse
• HITRUST CSF-09_y. On-line transactions
• FedRAMP-MP-5. Media transport
• FedRAMP-SC-10. Network disconnect
• ISA/IEC 62443-CR-1_1-RE_1. Unique identification and authentication
• WASSEC-3_4. Session token refresh policy
• OSSTMM3-8_7_2. Physical security (controls verification) - Confidentiality
• WASC-W_47. Insufficient session expiration
• OWASP Top 10 Privacy Risks-P8. Missing or insufficient session expiration
• OWASP MASVS-V4_7. Authentication and session management requirements
• SWIFT CSCF-5_2. Token management
• OWASP ASVS-2_7_2. Out of band verifier
• OWASP ASVS-2_7_3. Out of band verifier
• CASA-2_7_2. Out of Band Verifier
• CASA-2_7_3. Out of Band Verifier

Vulnerabilities

• 322. Insecurely generated token - Lifespan

free trial

Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.