You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@@ -68,7 +68,7 @@ As noted above, NIST SP 800-63 considers email as [not acceptable](https://pages
|**2.2.5**| Verify that where a Credential Service Provider (CSP) and the application verifying authentication are separated, mutually authenticated TLS is in place between the two endpoints. ||| ✓ | 319 | 5.2.6 |
|**2.2.6**| Verify replay resistance through the mandated use of One-time Passwords (OTP) devices, cryptographic authenticators, or lookup codes. ||| ✓ | 308 | 5.2.8 |
|**2.2.7**| Verify intent to authenticate by requiring the entry of an OTP token or user-initiated action such as a button press on a FIDO hardware key. ||| ✓ | 308 | 5.2.9 |
|**2.2.8**|[ADDED] Verify that all failed authentication challenges respond in the same average response time. || ✓| ✓ |||
|**2.2.8**|[ADDED] Verify that valid users cannot be deduced from failed authentication challenges, such as based on error messages, HTTP response codes, or different response times. Registration and forgot password functionality should also have this protection. ||| ✓ |||
|**2.2.9**|[ADDED, SPLIT FROM 2.2.4] Verify that multi-factor authentication is required, that is, the application uses either a multi-factor authenticator or a combination of single-factor authenticators. || ✓ | ✓ | 308 | 4.2.1 |
|**2.2.10**|[ADDED, SPLIT FROM 2.2.3] Verify that users are notified of suspicious authentication attempts. Suspicious authentication attempts may include successful or unsuccessful authentication from an unusual location or client, partially successful authentication with only one of multiple factors, successful or unsuccessful authentication after a long period of inactivity or successful authentication after several unsuccessful attempts. || ✓ | ✓ | 778 ||
|**2.2.11**|[ADDED, SPLIT FROM 1.2.4] Verify that, if the application includes multiple authentication pathways, there are no undocumented pathways and that security controls and authentication strength are enforced consistently. || ✓ | ✓ | 306 ||
