01. Answer to each challenge question must have at least three (3) characters.
Application which implements challenge and response mechanism must enforce the minimum length of the response as 3 characters.
STRIDE Threat Type(s) : Spoofing,
Technical Risk : If the response phrase length is too small, it will be easier for the attacker to guess/brute force the challenge-response verification
Corrective Action : The application logic must be enabled to reject the response phrases having length less than three characters
02. Response phrases are not to be the same as their corresponding challenge question.
If the Information system implements a challenge / response phrase mechanism, the Information system should not allow a user to set a response phrase identical to that of the challenge phrase.
STRIDE Threat Type(s) : Spoofing,
Technical Risk : Users may try to make their challenge and response phrases the same in an attempt to make it easier for them if they forget their passwords. However, this information is available to an unauthenticated user as well, so those accounts are in jeopardy.
Corrective Action : Do not allow challenge and response phrases to be the same value.
03. Number of challenge questions, used for user onboarding to challenge-response system, are to be at least five (5).
Application which implements challenge and response mechanism must enforce minimum set of five security questions as a part of user onboarding to Challenge-Response system . It will increase randomness of security questions.
STRIDE Threat Type(s) : Spoofing,
Technical Risk : The small list of challenge questions will affect the randomness of challenge made each time. So, it will help an attacker to try different possible answer for same question each time.
Corrective Action : Application must enable minimum five security questions for user onboarding to Challenge-Response system
04. Challenge-Response system is to challenge user with a set of at least three (3) challenge questions.
Application which implements challenge and response mechanism must enforce that the user will be answering to at least three security questions on each validation
STRIDE Threat Type(s) : Spoofing,
Technical Risk : Challenge questions less than 3 increase chance of attacker to brute force or guess response easily.
Corrective Action : The application must challenge the user with minimum set of three security questions and must ensure that the user will provide correct answer for all the questions
05.In the event of failed response, system is to provide user with new randomly-generated set of challenge questions.
Application which implements challenge and response mechanism must enforce the randomness of security questions each time the challenge is made
STRIDE Threat Type(s) : Spoofing,
Technical Risk : The security challenge questions must be random each time to avoid the possibility of trial-and –error method by an attacker to find out the correct answer for questions.
Corrective Action : The application must challenge the user with a random set of security questions each time
