Skip to content

Commit

Permalink
Simplify 2.2.1 to resolve #1763
Browse files Browse the repository at this point in the history
  • Loading branch information
tghosth authored Oct 15, 2024
1 parent ce41bc9 commit 07b32fd
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion 5.0/en/0x11-V2-Authentication.md
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ As noted above, NIST SP 800-63 considers email as [not acceptable](https://pages

| # | Description | L1 | L2 | L3 | CWE | [NIST §](https://pages.nist.gov/800-63-3/sp800-63b.html) |
| :---: | :--- | :---: | :---: | :---: | :---: | :---: |
| **2.2.1** | [MODIFIED] Verify that anti-automation controls are effective at mitigating breached credential testing, brute force, and account lockout attacks. Such controls include blocking the most common breached passwords, soft lockouts, rate limiting, CAPTCHA, ever increasing delays between attempts, IP address restrictions, or risk-based restrictions such as location, first login on a device, recent attempts to unlock the account, or similar. More than 5 failed authentication attempts per hour for a single account should trigger some sort of reaction or alert. |||| 307 | 5.2.2 / 5.1.1.2 / 5.1.4.2 / 5.1.5.2 |
| **2.2.1** | [MODIFIED] Verify that the application prevents attacks such as credential stuffing and password brute force using rate limiting or other anti-automation and adaptive response controls and that these controls are included in security logging and alerting. |||| 307 | 5.2.2 |
| **2.2.2** | [MODIFIED, SPLIT TO 2.2.12] Verify that restricted authenticators (those using PSTN to deliver OTPs via phone or SMS) are offered only when alternate stronger methods are also offered and when the service provides information on their security risks to users. |||| 304 | 5.2.10 |
| **2.2.3** | [MODIFIED, SPLIT TO 2.2.10] Verify that users are notified after updates to authentication details, such as credential resets or modification of the username or email address. |||| 778 | 6.1.2 |
| **2.2.4** | [MODIFIED, SPLIT TO 2.2.9] Verify that a hardware-based authenticator and an authenticator that provides verifier impersonation resistance against phishing attacks (such as WebAuthn) are used. | | || 308 | 4.3.1 |
Expand Down

0 comments on commit 07b32fd

Please sign in to comment.