2.2.2 and 2.7.1 are duplicates

OWASP / ASVS

Application Security Verification Standard

Creative Commons Attribution Share Alike 4.0 International

2.69k stars 654 forks source link

2.2.2 and 2.7.1 are duplicates #1811

Open jmanico opened 9 months ago

jmanico commented 9 months ago

2.2.2	[MODIFIED, SPLIT TO 2.2.12] Verify that restricted authenticators (those using PSTN to deliver OTPs via phone or SMS) are offered only when alternate stronger methods are also offered and when the service provides information on their security risks to users.

2.7.1	Verify that clear text out of band (NIST "restricted") authenticators, such as SMS or PSTN, are not offered by default, and stronger alternatives such as push notifications are offered first.

Suggest deleting 2.7.1

elarlang commented 8 months ago

@tghosth - do you agree, that 2.7.1 is duplicate of 2.2.2 and can be deleted?

tghosth commented 7 months ago

This is another weird NIST artefact, I think we consider this in the V2 rework but it seems likely we will need to do something drastic with this chapter.