The system must associate each secondary authentication mechanism with a single account.
Single-factor authentication mechanisms often offer poor security due to the weak, common or easy-to-guess passwords that users tend to set. Secondary authentication mechanisms, such as physical or logical security tokens, smart cards and certificates, help guarantee the identity of actors trying to authenticate. However, their value highly decreases when they are shared by multiple accounts.
CWE-287: Improper Authentication: When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
OWASP Top 10 A2:2017-Broken Authentication: Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently.
OWASP-ASVS v4.0.1 V1.2 Authentication Architectural Requirements.(1.2.4): Verify that all authentication pathways and identity management APIs implement consistent authentication security control strength, such that there are no weaker alternatives per the risk of the application.
PCI DSS v3.2.1 - Requirement 6.5.10: Address common coding vulnerabilities in software-development processes such as broken authentication and session management.
PCI DSS v3.2.1 - Requirement 8.5: Do not use group, shared, or generic IDs, passwords, or other authentication methods.
PCI DSS v3.2.1 - Requirement 8.6: Authentication mechanisms must be assigned to an individual account and not shared among multiple accounts.