V6.5.1: Verify that lookup secrets, out-of-band authentication requests or codes, and time-based one-time passwords (TOTPs) are only successfully usable once.
ASVS Maturity
V6.5.2
V6.5.2: Verify that, when being stored in the application's backend, lookup secrets with less than 112 bits of entropy (19 random alphanumeric characters or 34 random digits) are hashed with an approved password storage hashing algorithm that incorporates a 32-bit random salt. A standard hash function can be used if the secret has 112 bits of entropy or more.
ASVS Maturity
V6.5.3
V6.5.3: Verify that lookup secrets, out-of-band authentication code, and time-based one-time password seeds, are generated using a Cryptographically Secure Pseudorandom Number Generator (CSPRNG) to avoid predictable values.
ASVS Maturity
V6.5.4
V6.5.4: Verify that lookup secrets and out-of-band authentication codes have a minimum of 20 bits of entropy (typically 4 random alphanumeric characters or 6 random digits is sufficient).
ASVS Maturity
V6.5.5
V6.5.5: Verify that out-of-band authentication requests, codes, or tokens, as well as time-based one-time passwords (TOTPs) have a defined lifetime. Out of band requests must have a maximum lifetime of 10 minutes and for TOTP a maximum lifetime of 30 seconds.
ASVS Maturity
V6.5.6
V6.5.6: Verify that any authentication factor (including physical devices) can be revoked in case of theft or other loss.
ASVS Maturity
V6.5.7
V6.5.7: Verify that biometric authentication mechanisms are only used as secondary factors together with either something you have or something you know.
ASVS Maturity
V6.5.8
V6.5.8: Verify that time-based one-time passwords (TOTPs) are checked based on a time source from a trusted service and not from an untrusted or client provided time.