The system must invalidate previously generated OTPs when the generation of a new one is triggered.
One-time passwords (OTPs) are secrets used during operations that need added security or as part of user enrollment processes. Despite their short lifespan, only one OTP should be valid at any given time, and therefore, all previous OTPs should be invalidated whenever a new one is generated.
This requirement is verified in following services
- OWASP TOP 10-A7. Identification and authentication failures
- SANS 25-14. Improper Authentication
- OWASP ASVS-2_2_6. General authenticator security
- OWASP ASVS-2_8_4. One time verifier
- PCI DSS-8_3_5. Initial or reset password or passphrase used by authorized user
- Resolution SB 2021 2126-Art_30_8. Security in Electronic Channels - Digital Banking
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.