Skip to content

Authenticator Management🔗

Several events can occur over the lifecycle of a user’s authenticator that affects that authenticator’s use. These events include authenticator registration, verification, reset, and loss. This section describes the actions to be taken in response to those events.

🔨 Authenticator Registration🔗

#️⃣ ✅Items ⚠️Severity ☠️Vulnerabilities 🔗Sources
1 Verify: The website supports at least two factors
Reason: Two or more factors are more secure than only one factor
High Credential Theft, Brute Force SP800-63B
3 Verify: If a user tries to register an authenticator, they should be re-authenticated by using the existing factor
Reason: Confirms that the actual user is registering an authenticator, not someone else
High Impersonation SP800-63B
4 Verify: Guidelines for the Type of authenticator being registered are considered
Reason: Ensure that unique security policies for each authenticator are considered
High SP800-63B
5 Verify: Authenticator expiration should be in place
Reason: Prevent an attacker from having access forever
Low Credential Theft, Impersonation SP800-63B

🚦 Authenticator Verification🔗

#️⃣ ✅Items ⚠️Severity ☠️Vulnerabilities 🔗Sources
1 Verify: Stop the execution and return an expired message if the authenticator is expired
Reason: Limit the use of resources
Medium Credential Theft SP800-63B
2 Verify: Authenticator verification should happen after Memorized Secret
Reason: Revealing information to an attacker about which the second factor is being used
Low Information Leakage SP800-63B
3 Verify: Authenticator verification should take place in a limited time
Reason: Less time an attacker has to respond
High Impersonation, Credential Theft SP800-63B
4 Verify: An account is locked after a certain number of failed verification attempts
Reason: Prevents an attacker from guessing the verification token/secret
High Brute Force SP800-63B

🔃 Authenticator Reset🔗

#️⃣ ✅Items ⚠️Severity ☠️Vulnerabilities 🔗Sources
1 Verify: The user should be reauthenticated before an authenticator reset takes place
Reason: Ensures that the actual user is making a change, not someone else
High Impersonation SP800-63B
2 Verify: The user is required to verify the authenticator's output before it is accepted
Reason: Confirms the possession of the authenticator
High Impersonation , Credential Theft SP800-63B
3 Verify: Guidelines for the Type of authenticator being registered must be considered
Reason: A new authenticator is installed securely
High SP800-63B
4 Verify: Once a new authenticator is established, the website should revoke the previous authenticator
Reason: In case an attacker gets a hold of the old authenticator, it wouldn't work
High Impersonation , Credential Theft SP800-63B

😕 Authenticator Lost🔗

#️⃣ ✅Items ⚠️Severity ☠️Vulnerabilities 🔗Sources
1 Verify: When a user reports an authenticator lost, they should be reauthenticated
Reason: Confirms that the actual user is making the lost claim not someone else
High Impersonation SP800-63B
2 Verify: If a user reports a lost authenticator during the verification stage at login, a PIN or token URL strategy from Credential Reset must be followed
Reason: Establishes a secure way for a user to change their authenticator
High Impersonation , Credential Theft SP800-63B
3 Verify: The lost authenticator no longer works with the user's account
Reason: Incase an attacker gets a hold of the authenticator, it shouldn't work
High Impersonation , Credential Theft SP800-63B

📋 Authenticator Policies🔗

#️⃣ ✅Items ⚠️Severity ☠️Vulnerabilities 🔗Sources
1 Verify: All authenticator-related events are logged. Such as registering a new authenticator, lost authenticator, incorrect authenticator value, etc.
Reason: Helps in detecting and investigating security incidences
High Insufficient Logging ACS, ASVS, SP800-63B
2 Verify: All user-supplied input i.e., PINs, secrets, code, etc., should never be trusted and must be validated
Reason: Prevents injection or denial of service attacks
High Denial of Service, Injection ACS
3 Verify: TLS (HTTPS) and Strict-Transport-Security header are enabled for every authentication process
Reason: Network traffic is encrypted which prevents eavesdropping
High Eavesdropping ACS, ASVS
4 Verify: Rate-limiting mechanisms exist
Reason: Prevents guessing and denial of service
High Denial of Service, Brute Force ACS, ASVS, SP800-63B
5 Verify: At least two factors can be used. "something you know" must be following by either a "something you have" or "something you are"
Reason: Decreases the likelihood of account compromise since possession of two factors is needed
High Credential Theft ACS, ASVS, SP800-63B
6 Verify: The website should maintain a record of all authenticators that are associated with an account
Reason: Revocation and deletion of authenticators are possible in case of compromise
High Credential Theft SP800-63B
7 Verify: Email notifications must be sent for sensitive operations such as authenticator registration, reset, lost, and account lockout
Reason: In case the user didn't authorize these operations, the notification will alert them
High Impersonation ACS, ASVS, SP800-63B

🔴 Authenticator in Production🔗

#️⃣ ✅Items ⚠️Severity ☠️Vulnerabilities 🔗Sources
1 Verify: Regularly monitor log activity
Reason: To detect any suspicious activity such as multiple failed authenticator attempts
High Impersonation
2 Verify: Periodically review registered authenticators for suspicious entries
Reason: Ensure that unauthorized authenticators aren't associate with an account
High Impersonation, Credential Theft
3 Verify: Third party software or libraries used by multi-factor authentication are updated to the most recent version and are regularly patched
Reason: Vulnerability in a third party resource can grant an attacker unauthorized access
High Vulnerable Dependency
4 Verify: Conduct regular security assessments, vulnerability scans, and penetration testing to identify vulnerabilities in custom and third-party code
Reason: Identify any security vulnerabilities that might have appeared in multi-factor authentication implementation
High Impersonation, Credential Theft

🔗 Sources:

Open Web Application Security Project (OWASP):

National Institute of Standards and Technology (NIST):