Clear out Time based One-time Passwords section

[tghosth]

Issue Explanation

This section has gradually had its requirements removed and there are now (after #2577) only 3 remaining:

#	Description	Level	CWE	Comment
2.8.6	[MODIFIED, LEVEL L2 > L3] Verify that any authentication factor (including physical devices) can be revoked in case of theft or other loss.	3	613	This is no longer only about TOTP devices
2.8.7	[MODIFIED, LEVEL L2 > L3] Verify that biometric authentication mechanisms are only used as secondary factors together with either something you have or something you know.	3	308	This was never really about TOTP to begin with
2.8.8	[ADDED] Verify that time-based OTPs are checked based on a time source from a trusted service and not from an untrusted or client provided time.	3	367	This is the only one that is actually specific to TOTP

I would propose moving all these requirements (including the section text) to section 2.6 General Multi-factor authentication requirements.

---

Proposed result

The resulting sections would look like this:

V2.6 General Multi-factor authentication requirements

This section provides general guidance that will be relevant to various different multi-factor authentication methods.

The mechanisms include:

• Lookup Secrets
• Time based One-time Passwords (TOTPs)
• Out-of-Band mechanisms

Lookup secrets are pre-generated lists of secret codes, similar to Transaction Authorization Numbers (TAN), social media recovery codes, or a grid containing a set of random values. This type of authentication mechanism is considered "something you have" since the codes are random so you need to have stored them somewhere.

Time based One-time Passwords (TOTPs) are physical or soft tokens that display a continually changing pseudo-random one-time challenge. This type of authentication mechanism is considered "something you have". Multi-factor TOTPs are similar to single-factor TOTPs, but require a valid PIN code, biometric unlocking, USB insertion or NFC pairing or some additional value (such as transaction signing calculators) to be entered to create the final OTP.

More details on out-of-band mechanisms and time based One-time Passwords (TOTPs) mechanism will be provided in subsequent sections.

The requirements in these sections mostly relate to § 5.1.2, § 5.1.3, § 5.1.4.2, § 5.1.5.2, § 5.2.1, and § 5.2.3 of NIST's Guidance.

#	Description	Level	CWE
2.6.1	[MODIFIED, MERGED FROM 2.8.4, SPLIT FROM 2.7.3, COVERS 2.2.6] Verify that lookup secrets, out-of-band authentication requests or codes, and time-based, one-time passwords (TOTPs) are only usable once.	2	308
2.6.2	[MODIFIED, SPLIT TO 2.6.4] Verify that, when being stored in the application's back-end, lookup secrets with less than 112 bits of entropy (19 random alphanumeric characters or 34 random digits) are hashed with an approved password storage hashing algorithm that incorporates a 32-bit random salt. A standard hash function can be used if the secret has 112 bits of entropy or more.	2	330
2.6.3	[MODIFIED, MERGED FROM 2.8.3, SPLIT FROM 2.7.6] Verify that lookup secrets, out-of-band authentication code, and time-based, one-time password seeds, are generated using a Cryptographically Secure Pseudorandom Number Generator (CSPRNG) to avoid predictable values.	2	310
2.6.4	[ADDED, SPLIT FROM 2.6.2, 2.7.6] Verify that lookup secrets and out-of-band authentication codes have a minimum of 20 bits of entropy (typically 4 random alphanumeric characters or 6 random digits is sufficient).	2	330
2.6.5	[MODIFIED, MOVED FROM 2.7.2, MERGED FROM 2.8.1] Verify that out-of-band authentication requests, codes, or tokens, as well as time-based, one-time passwords (TOTPs) have a defined lifetime. For out of band this should be 10 minutes and for TOTP this should be as short as possible, usually 30 seconds.	1	287
2.6.6	[MODIFIED, MOVED FROM 2.8.6, LEVEL L2 > L3] Verify that any authentication factor (including physical devices) can be revoked in case of theft or other loss.	3	613
2.6.7	[MODIFIED, MOVED FROM 2.8.7, LEVEL L2 > L3] Verify that biometric authentication mechanisms are only used as secondary factors together with either something you have or something you know.	3	308
2.6.8	[ADDED] Verify that time-based OTPs are checked based on a time source from a trusted service and not from an untrusted or client provided time.	3	367

V2.8 Time based One-time Passwords

Time based One-time Passwords (TOTPs) are physical or soft tokens that display a continually changing pseudo-random one-time challenge. This type of authentication mechanism is considered "something you have".

Multi-factor TOTPs are similar to single-factor TOTPs, but require a valid PIN code, biometric unlocking, USB insertion or NFC pairing or some additional value (such as transaction signing calculators) to be entered to create the final OTP.

#	Description	Level	CWE
2.8.1	[DELETED, MERGED TO 2.6.5]
2.8.2	[DELETED, COVERED BY 14.8.1]
2.8.3	[DELETED, MERGED TO 2.6.3]
2.8.4	[DELETED, MERGED TO 2.6.1]
2.8.5	[DELETED, INSUFFICIENT IMPACT]
2.8.6	[DELETED, MOVED TO 2.6.6]
2.8.7	[DELETED, MOVED TO 2.6.7]

[tghosth]

@elarlang what do you think?

[elarlang]

With thumbs up I gave go ahead already :)

[tghosth]

Oops sorry I missed that :)