ASVS Requirement 6.8.1

• Level: 2
• Chapter: V6 Authentication
• Section: V6.8 Authentication with an Identity Provider
• Source: 0x15-V6-Authentication.md

Description

Verify that, if the application supports multiple identity providers (IdPs), the user's identity cannot be spoofed via another supported identity provider (eg. by using the same user identifier). The standard mitigation would be for the application to register and identify the user using a combination of the IdP ID (serving as a namespace) and the user's ID in the IdP.