The system must expire out of band authentication requests, codes or tokens after 10 minutes and should only allow them to be used once within this period.
Secure out of band authenticators are physical devices that can communicate with an authentication verifier over a secure secondary channel. They serve as an additional security measure for identity assertion during authentication processes or sensitive transactions. Systems should expire out of band tokens after 10 minutes and allow them to be used only once within this period to prevent replay attacks.
CWE-287: Improper Authentication: When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
CWE-294: Authentication Bypass by Capture-replay: A capture-replay flaw exists when the design of the software makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).
CWE-613: Insufficient Session Expiration: Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization.
NIST 800-63B 18.104.22.168 Out-of-Band Verifiers: In all cases, the authentication SHALL be considered invalid if not completed within 10 minutes.
NIST 800-63B 22.214.171.124 Out-of-Band Verifiers: In order to provide replay resistance as described in Section 5.2.8, verifiers SHALL accept a given authentication secret only once during the validity period.
OWASP Top 10 A2:2017-Broken Authentication: Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently.
OWASP-ASVS v4.0.1 V2.7 Out of Band Verifier Requirements.(2.7.2): Verify that the out of band verifier expires out of band authentication requests, codes, or tokens after 10 minutes.
OWASP-ASVS v4.0.1 V2.7 Out of Band Verifier Requirements.(2.7.3): Verify that the out of band verifier authentication requests, codes, or tokens are only usable once, and only for the original authentication request.
PCI DSS v3.2.1 - Requirement 6.5.10: Address common coding vulnerabilities in software-development processes such as broken authentication and session management.