Skip to content

Commit

Permalink
Update 0x09-V4-Authentication_and_Session_Management_Requirements.md
Browse files Browse the repository at this point in the history
  • Loading branch information
Sven authored Aug 16, 2017
1 parent 5879bb6 commit 985cb10
Showing 1 changed file with 1 addition and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ In most cases, users logging into a remote service is an integral part of the ov
| **4.5** | A password policy exists and is enforced at the remote endpoint. |||
| **4.6** | The remote endpoint implements an exponential back-off, or temporarily locks the user account, when incorrect authentication credentials are submitted an excessive number of times. |||
| **4.7** | Biometric authentication, if any, is not event-bound (i.e. using an API that simply returns "true" or "false"). Instead, it is based on unlocking the keychain/keystore. | ||
| **4.8** | Sessions and access tokens are invalidated at the remote endpoint after a predefined period of inactivity. | ||
| **4.8** | Sessions are invalidated at the remote endpoint after a predefined period of inactivity and access tokens expire. | ||
| **4.9** | A second factor of authentication exists at the remote endpoint and the 2FA requirement is consistently enforced. | ||
| **4.10** | Sensitive transactions require step-up authentication. | ||
| **4.11** | The app informs the user of all login activities with their account. Users are able view a list of devices used to access the account, and to block specific devices. | ||
Expand Down

0 comments on commit 985cb10

Please sign in to comment.