tghosth
commented
2 weeks ago 2.2.6 is gone 2.6.1 relates to lookup secrets, i.e. recovery codes for MFA 2.8.4 relates to TOTP like Google authenticator or an RSA token.
So basically I think you are correct. Having read the updated section text, do you think the requirements need further clarification?
aramhovsepyan
Hi guys, Some ASVS users (including myself) are struggling with the interpretation of 2.2.6, 2.6.1 and 2.8.4. All of these requirements seem related to OTP codes. Consider perhaps bringing these items closer together by e.g., grouping them under the same category. Here is my interpretation of these items by the way. I'm wondering whether it's correct: 2.2.6 - make sure OTP cannot be used more than once within the same time-window. E.g,. Google authenticator code expires after 30sec and the application should ideally make sure that the same code cannot be reused within those 30 seconds (especially if the app allows for some grace periods). 2.6.1 - make sure OTP backup codes (which you typically get after setting up an OTP device) cannot be used twice. 2.8.4 - make sure your OTP codes are not valid after the time-window has passed.
I'm happy to contribute to the resolution of this issue. Let me know how. Thanks.