spec checked
OWASP WSTG testing multi-factor authentication
Documents testing MFA bypass, access-control enforcement, brute-force protection, recovery-code strength and single-use behavior, notification when recovery codes are used, and management of MFA settings.
Pattern Decisions This Source Supports
| Pattern | Supported decision | Required contract | Claim note |
|---|---|---|---|
| Two-factor authentication | Choose two-factor authentication when the user must satisfy an additional factor after a primary credential, SSO return, passkey flow, risk signal, new device, or sensitive action. | The challenge appears only when the server requires additional verification and the protected action remains blocked until success. | OWASP WSTG supports MFA bypass testing, brute-force protection, recovery-code strength, single-use behavior, notifications, and MFA settings management. |
Evidence Role
This source is treated as spec evidence. Use it to validate the decision rules above, not as a visual style reference.
Publisher: OWASP Web Security Testing Guide. Last checked: .