Hi Dave. Thanks 4 the post. One of Owasp Guidlines is "Validate the authentication data only on completion of all data input, especially for sequential authentication implementations".
I would take it that a method which uses say a password followed by a 6 digit SMS token fall under this category. Would finding some way to re-authenticating the password when doing 2nd factor?
Dave Smith - 2015-05-26 07:33:50 - In reply to message 1 from Cyril Ogana
I am assuming the events would be...
1) User logs in with a username and password pair, or just a password if the system requires unique passwords for each user.
2) Password is validated and the system sends a unique 6 digit PIN to the registered mobile number via SMS.
3) User enters the 6 digit pin as a token.
When the pin is entered, all data has been entered and then we perform the authentication... username and password and token match, user is authenticated. I think this is in compliance with the Owasp guidelines.
The 6 digit pin should be unique and new for each new authentication request and expire after a short period of time.