ASVS icon indicating copy to clipboard operation
ASVS copied to clipboard

Published 20 hours ago verified publisher icon OWASP

L2 should support the use of hardware-based authenticators

Open sydseter opened this issue 6 months ago • 18 comments

In https://github.com/OWASP/ASVS/issues/2970 it has been made clear that both phone providers and online IDP services widely support hardware-based authenticators. At the same time, users can use synced passkeys https://www.passkeycentral.org/introduction-to-passkeys/passkey-types, which now, by default, get backed up by Android and IOS

At the same time, the use of FIDO2/U2F tokens and WebAuthn makes it possible to implement MFA and passwordless authentication securely, making it easier for users to use web services without fearing phishing or credential stuffing.

Therefore, supporting hardware-based authenticators for L2 is a must.

See:

https://github.com/OWASP/ASVS/issues/2970#issuecomment-2853680112

I am suggesting adding the following non-quoted section between these two quoted sections. (based on https://github.com/OWASP/ASVS/pull/3093/files)

V6.3 General Authentication Security

This section contains general requirements for the security of authentication mechanisms as well as setting out the different expectations for levels. In particular, enforcing the use of multi-factor authentication (MFA) is required for L2 and hardware-based authentication, performed in an attested and trusted execution environment (TEE), is required for L3.

Applications verified at L2 must support the use of hardware-based authenticators compliant with FIDO2 or equivalent standards. Where feasible, such authenticators should be required for all users performing sensitive operations or accessing administrative interfaces.

Whilst this is a relatively aggressive stance on MFA, it is critical to raise the bar around this to protect users and any attempt to relax these requirements should be accompanied by a clear plan on how the risks around authentication will be mitigated, taking into account NIST's guidance and research on the topic.

and

https://github.com/OWASP/ASVS/issues/2970#issuecomment-2853599126

# Description Level #v5.0.be
6.3.3 Verify that either a multi-factor authentication mechanism or a combination of single-factor authentication mechanisms (such as using synced passkeys in conjunction with a password) must be used to access the application. Relaxing this requirement requires a fully documented rationale and comprehensive mitigating controls. 2 v5.0.be-2.2.9

sydseter avatar May 06 '25 08:05 sydseter