235 – Define credential interface

Summary

The authentication must have a separate interface for on-screen credentials input.

Description

This requirements suggests that there should be a separated user interface element for users to input their authentication credentials. The separation of the interface helps to mitigate the risk of credential exposure.

Supported In

Essential: True

Advanced: True

References

• NIST80053-SC-3. Security function isolation
• OWASP10-A5. Security misconfiguration
• HITRUST-08_b. Physical entry controls
• ISO27002-7_3. Securing offices, rooms and facilities
• WASC-W_01. Insufficient authentication
• NIST800171-1_17. Protect wireless access using authentication and encryption
• ASVS-14_1_5. Build and deploy
• CWE-1262. Improper access control for register interface
• ISO27001-7_3. Securing offices, rooms and facilities
• CASA-14_1_5. Build and Deploy
• FISMA-SC-3. Security function isolation
• OWASPMASVS-AUTH-1. The app uses secure authentication and authorization protocols and follows the relevant best practices

Weaknesses

• 240 – Authentication mechanism absence or evasion - OTP
• 241 – Authentication mechanism absence or evasion - AWS
• 242 – Authentication mechanism absence or evasion - WiFi
• 243 – Authentication mechanism absence or evasion - Admin Console
• 244 – Authentication mechanism absence or evasion - BIOS
• 298 – Authentication mechanism absence or evasion - Redirect
• 299 – Authentication mechanism absence or evasion - JFROG
• 300 – Authentication mechanism absence or evasion - Azure
• 365 – Authentication mechanism absence or evasion - Response tampering
• 370 – Authentication mechanism absence or evasion - Security Image
• 006 – Authentication mechanism absence or evasion

Last updated

2024/01/18