The mobile app must implement organization-defined out-of-band authentication under organization-defined conditions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-APP-000393-MAPP-000100	SRG-APP-000393-MAPP-000100	SRG-APP-000393-MAPP-000100_rule		Medium

Description
Out-of-band authentication uses two separate networks or channels to communicate between two parties or devices. For example, a user can access a site through a network connection, and a one-time password can be sent through a cellular network to that user's mobile device. This reduces the probability of the authentication process being compromised. This type of authentication can be employed by organizations to mitigate actual or suspected man-in the-middle attacks. The conditions for activation can include, for example, suspicious activities, new threat indicators or elevated threat levels, or the impact level or classification level of information in requested transactions. Out-of-band authentication (OOBA) refers to the use of two separate communication paths to identify and authenticate users or devices to an information system.

Description

Out-of-band authentication uses two separate networks or channels to communicate between two parties or devices. For example, a user can access a site through a network connection, and a one-time password can be sent through a cellular network to that user's mobile device. This reduces the probability of the authentication process being compromised. This type of authentication can be employed by organizations to mitigate actual or suspected man-in the-middle attacks. The conditions for activation can include, for example, suspicious activities, new threat indicators or elevated threat levels, or the impact level or classification level of information in requested transactions. Out-of-band authentication (OOBA) refers to the use of two separate communication paths to identify and authenticate users or devices to an information system.

STIG	Date
Mobile Application Security Requirements Guide	2014-07-22

Details

Check Text ( C-SRG-APP-000393-MAPP-000100_chk )
Review the mobile app configuration or code to determine if the mobile app implements organization-defined out-of-band authentication under organization-defined conditions. If it does not, this is a finding.

Fix Text (F-SRG-APP-000393-MAPP-000100_fix)
Configure or code the mobile app to implement organization-defined out-of-band authentication under organization-defined conditions.