ASVS icon indicating copy to clipboard operation
ASVS copied to clipboard

Published 20 hours ago verified publisher icon OWASP

2.2.2 and 2.7.1 are duplicates

Open jmanico opened this issue 1 year ago • 2 comments

2.2.2 [MODIFIED, SPLIT TO 2.2.12] Verify that restricted authenticators (those using PSTN to deliver OTPs via phone or SMS) are offered only when alternate stronger methods are also offered and when the service provides information on their security risks to users.
2.7.1 Verify that clear text out of band (NIST "restricted") authenticators, such as SMS or PSTN, are not offered by default, and stronger alternatives such as push notifications are offered first.

Suggest deleting 2.7.1

jmanico avatar Dec 18 '23 14:12 jmanico

@tghosth - do you agree, that 2.7.1 is duplicate of 2.2.2 and can be deleted?

elarlang avatar Dec 31 '23 11:12 elarlang

This is another weird NIST artefact, I think we consider this in the V2 rework but it seems likely we will need to do something drastic with this chapter.

tghosth avatar Jan 24 '24 07:01 tghosth

Opened #2242 to resolve this clear duplication

tghosth avatar Nov 05 '24 14:11 tghosth