122 – Validate credential ownership
Summary
The system must validate that the given credentials (email, phone number, etc.) actually belong to the user that claimed ownership of them.
Description
The requirement to validate that given credentials belong to the user claiming ownership is essential to maintain the integrity of user authentication processes and to prevent unauthorized access.
Supported In
Essential: True
Advanced: True
References
- CWE-287. Improper authentication
- CAPEC-654. Credential Prompt Impersonation
- OWASP10-A7. Identification and authentication failures
- SOC2-CC6_2. Logical and physical access controls
- MITRE-M1043. Credential access protection
- SANS25-13. Improper authentication
- POPIA-3A_23. Access to personal information
- PDPO-S1_4. Security of personal data
- CMMC-IA_L1-3_5_2. Authentication
- HITRUST-10_c. Control of internal processing
- FERPA-D_31_c. Conditions of prior consent required to disclose information
- NISTSSDF-PW_1_1. Design software to meet security requirements and mitigate security risks
- MVSP-2_4. Application design controls - Password policy
- BSAFSS-IA_1-1. Software development environment authenticates users and operators
- CWE25-287. Improper authentication
- ASVS-4_3_1. Other access control considerations
- CASA-2_10_1. Service Authentication
- CASA-4_3_1. Other Access Control Considerations
- OWASPMASVS-AUTH-1. The app uses secure authentication and authorization protocols and follows the relevant best practices
- NIST-PR_AA-01. Identities and credentials for authorized users, services, and hardware are managed by the organization
Weaknesses
- 103 – Insufficient data authenticity validation - APK signing
- 327 – Insufficient data authenticity validation - Images
- 355 – Insufficient data authenticity validation - Checksum verification
- 377 – Insufficient data authenticity validation - Device Binding
- 382 – Insufficient data authenticity validation - Front bypass
- 389 – Insufficient data authenticity validation - JAR signing
Last updated
2024/03/05