OWASP
New CS proposal: Reauthentication After Risk Events
What is the proposed Cheat Sheet about?
I propose creating a new OWASP Cheat Sheet titled “Reauthentication After Risk Events”.
This cheat sheet will provide security guidance for requiring user reauthentication in response to high-risk account activity. It aligns with OWASP’s emphasis on secure session management, defense-in-depth, and adaptive authentication.
What security issues are commonly encountered related to this area?
- Attackers exploiting stolen session tokens to bypass authentication
- Inadequate session controls after account recovery or password resets
- Lack of reauthentication for sensitive actions like changing credentials or device enrollment
- Poor detection of anomalous behavior that should trigger reauthentication
- User confusion or friction when reauthentication flows are poorly implemented
What is the objective of the Cheat Sheet?
This cheat sheet aims to:
- Help developers and security teams identify situations where reauthentication should be triggered
- Recommend effective reauthentication mechanisms that minimize user friction
- Provide implementation guidance for secure, adaptive, and context-aware reauthentication
- Reduce the risk of account takeover following high-risk events or suspicious activity
What other resources exist in this area?
- The OWASP Session Management Cheat Sheet lightly touches on reauthentication but does not offer comprehensive guidance
- OWASP Application Security Verification Standard (ASVS) mentions reauthentication for sensitive actions
- NIST 800-63B (Digital Identity Guidelines) discusses authentication assurance levels and reauthentication
- Third-party articles and vendor docs (e.g., Google, Okta) describe adaptive auth, but fragmented across platforms
This cheat sheet will centralize these practices in a product-agnostic, actionable format for the OWASP community.
I’ve previously contributed to OWASP cheat sheets and would be happy to draft this as a PR following template guidelines.
Thanks for considering!
Are we convinced this needs its own cheat sheet and can't be adequately covered in existing cheat sheets?
Are we convinced this needs its own cheat sheet and can't be adequately covered in existing cheat sheets?
I think we just want to expand the section in the authentication cheat sheet. But if it gets to long, I'd split it out and just reference it from the Authentication cheat sheet.
I'd rather see several small cheatsheets that one very large one.
Respectfully,
- Jim
Looks good for me but I would like to have it cross-linked with Authentication CS
Thank you for the thoughtful feedback!
Regarding the suggestion to expand the Authentication Cheat Sheet instead of creating a new one, I agree that it’s important to keep the cheat sheets concise and actionable. I believe this topic could potentially be a section within the Authentication Cheat Sheet, especially if the content overlaps with existing guidelines. However, if the section grows too large, splitting it out into its own cheat sheet may still be beneficial for clarity and focus.
I like the idea of cross-linking the content between the Authentication Cheat Sheet and this proposed one, which would allow for deeper coverage without redundancy. I’ll make sure to reference the authentication principles as part of the reauthentication process to keep the content aligned with OWASP’s existing resources.
I’m happy to move forward with either direction based on what the team thinks best. I’ll draft the content to fit seamlessly with existing guidelines and be ready to adapt depending on how we decide to approach it.
Looking forward to hearing your thoughts!
Awesome @pankajtaneja5 we will wait for PR, let us know if you will have any other questions.