Define OTP lifespan
Summary
One-time passwords (OTP) must have a maximum lifespan of 60 seconds.
Description
OTPs are tokens that help hinder phishing (impersonation) attacks. They should be generated using secure cryptographic algorithms, be sent over a protected channel and have a short lifespan that considers network delay and entry time. Furthermore, it should only be possible to use them once within their validity period.
References
- NIST80063-5_1_4_2. Single-factor OTP verifiers
- OWASP10-A7. Identification and authentication failures
- SANS25-13. Improper authentication
- CMMC-IA_L2-3_5_5. Identifier reuse
- IEC62443-CR-1_7-RE_2. Password lifetime restrictions for all users
- NIST800171-5_2. Authenticate or verify the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems
- CWE25-287. Improper authentication
- ASVS-2_2_6. General authenticator security
- ASVS-2_5_6. Credential recovery
- ASVS-2_8_1. One time verifier
- PCI-8_3_5. Initial or reset password or passphrase used by authorized user
- SIG-U_1_9_13. Server security
- RESOLSB-Art_30_8. Security in Electronic Channels - Digital Banking
Weaknesses
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.