ASVS Requirement 6.6.1

• Level: 2
• Chapter: V6 Authentication
• Section: V6.6 Out-of-Band authentication mechanisms
• Source: 0x15-V6-Authentication.md

Description

Verify that authentication mechanisms using the Public Switched Telephone Network (PSTN) to deliver One-time Passwords (OTPs) via phone or SMS are offered only when the phone number has previously been validated, alternate stronger methods (such as Time based One-time Passwords) are also offered, and the service provides information on their security risks to users. For L3 applications, phone and SMS must not be available as options.