140 – Define OTP lifespan

Summary

One-time passwords (OTP) must have a maximum lifespan of 60 seconds.

Description

OTPs are tokens that help hinder phishing (impersonation) attacks. They should be generated using secure cryptographic algorithms, be sent over a protected channel and have a short lifespan that considers network delay and entry time. Furthermore, it should only be possible to use them once within their validity period.

Supported In

Essential: True

Advanced: True

References

• NIST80063-5_1_4_2. Single-factor OTP verifiers
• OWASP10-A7. Identification and authentication failures
• SANS25-13. Improper authentication
• CMMC-IA_L2-3_5_5. Identifier reuse
• IEC62443-CR-1_7-RE_2. Password lifetime restrictions for all users
• NIST800171-5_2. Authenticate or verify the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems
• CWE25-287. Improper authentication
• ASVS-2_2_6. General authenticator security
• ASVS-2_5_6. Credential recovery
• ASVS-2_8_1. One time verifier
• PCI-8_3_5. Initial or reset password or passphrase used by authorized user
• SIG-U_1_9_13. Server security
• RESOLSB-Art_30_8. Security in Electronic Channels - Digital Banking

Weaknesses

• 401 – Insecure service configuration - AKV Secret Expiration
• 403 – Insecure service configuration - usesCleartextTraffic

Last updated

2023/09/18