Where should we put step-up authentication if necessary?

OWASP / owasp-masvs

The OWASP MASVS (Mobile Application Security Verification Standard) is the industry standard for mobile app security.

https://mas.owasp.org/

Creative Commons Attribution Share Alike 4.0 International

2.01k stars 431 forks source link

Where should we put step-up authentication if necessary? #41

Closed commjoen closed 7 years ago

commjoen commented 7 years ago

Hi, one thing that could work for L4 applications, is that for certain risky activities, the user should do a step-up authentication (using a mobile pin or a fingerprint, or something else). Should this be part of the MASVS and if so, where should we put it?

muellerberndt commented 7 years ago

Good point, this is common in mobile banking apps. I would make it a L2 requirement?

ghost commented 7 years ago

step-up, do you mean like a Two factor auth system? For banking applications it is common to use unconnected card readers for an enhanced security layer. Usually basic operations are permitted and monetary transactions upto a certain limit. Ano other operation e.g. a new recipient would require a OTP from an UCR.

commjoen commented 7 years ago

Both can be possible: you can either re-ask a pin/fingerprint or you can use another factor outside of the app. I will create a PR...

commjoen commented 7 years ago

Closing issue as pull request is accepted.