ASVS Requirement 6.8.4

• Level: 2
• Chapter: V6 Authentication
• Section: V6.8 Authentication with an Identity Provider
• Source: 0x15-V6-Authentication.md

Description

Verify that, if an application uses a separate Identity Provider (IdP) and expects specific authentication strength, methods, or recentness for specific functions, the application verifies this using the information returned by the IdP. For example, if OIDC is used, this might be achieved by validating ID Token claims such as 'acr', 'amr', and 'auth_time' (if present). If the IdP does not provide this information, the application must have a documented fallback approach that assumes that the minimum strength authentication mechanism was used (for example, single-factor authentication using username and password).