Skip to content

Commit

Permalink
Merge pull request #461 from bugcrowd/Missing-Failsafe
Browse files Browse the repository at this point in the history 
Updated rec for Missing 2FA failsafe
  • Loading branch information
@RRudder
RRudder authored May 15, 2024
2 parents 2d052fc + b6ebadb commit ac21e88
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions ..._configurability/weak_two_fa_implementation/missing_failsafe/recommendations.md
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
# Recommendation(s)

It is recommended to invalidate the 2FA code each time a new code is requested so that there is only one valid and unique code at a time.
It is recommended to implement a failsafe login method for users who don’t have access to their 2FA method.

Additionally, the following best practices should be adhered to for secure 2FA implementation:

- Users should have access to a failsafe login method if they don’t have access to their 2FA implementation
- The 2FA code should be invalidated each time a new code is requested
- 2FA should be implemented for users upon sensitive actions such as login, change of password or security questions, elevation of user session, change of email address or phone number, and disabling of 2FA.
- The uniquely generated OTP should expire
- The page behind the 2FA step should not be able to be accessed directly by manipulating the URL
Expand Down

0 comments on commit ac21e88

Please sign in to comment.