CWE-308: Use of Single-factor Authentication

Description

The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme.

Extended Description

While the use of multiple authentication schemes is simply piling on more complexity on top of authentication, it is inestimably valuable to have such measures of redundancy. The use of weak, reused, and common passwords is rampant on the internet. Without the added protection of multiple authentication schemes, a single mistake can result in the compromise of an account. For this reason, if multiple schemes are possible and also easy to use, they should be implemented and required.

ThreatScore

Threat Mapped score: 0.0

Industry: Finiancial

Threat priority: Unclassified

Observed Examples (CVEs)

CVE: CVE-2022-35248

Chat application skips validation when Central Authentication Service (CAS) is enabled, effectively removing the second factor from two-factor authentication

Related Attack Patterns (CAPEC)

Attack TTPs

T1110.001 — Password Guessing (credential-access)
T1133 — External Remote Services (persistence, initial-access)
T1110.002 — Password Cracking (credential-access)
T1558 — Steal or Forge Kerberos Tickets (credential-access)
T1021.002 — SMB/Windows Admin Shares (lateral-movement)
T1021 — Remote Services (lateral-movement)
T1078.001 — Default Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1110.003 — Password Spraying (credential-access)
T1550.003 — Pass the Ticket (defense-evasion, lateral-movement)
T1078 — Valid Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1110.004 — Credential Stuffing (credential-access)
T1114.002 — Remote Email Collection (collection)
T1550.002 — Pass the Hash (defense-evasion, lateral-movement)
T1558.003 — Kerberoasting (credential-access)

Malware

APTs (Intrusion Sets)

Modes of Introduction

Phase	Note
Architecture and Design	COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic.

Common Consequences

Impact: Bypass Protection Mechanism — Notes: If the secret in a single-factor authentication scheme gets compromised, full authentication is possible.

Potential Mitigations

Architecture and Design: Use multiple independent authentication schemes, which ensures that -- if one of the methods is compromised -- the system itself is still likely safe from compromise. (N/A)

Applicable Platforms

None (Not Language-Specific, Undetermined)

Demonstrative Examples

Intro: In both of these examples, a user is logged in if their given password matches a stored password:

Body: This code relies exclusively on a password mechanism (CWE-309) using only one factor of authentication (CWE-308). If an attacker can steal or guess a user's password, they are given full access to their account. Note this code also uses SHA-1, which is a weak hash (CWE-328). It also does not use a salt (CWE-759).

unsigned char *check_passwd(char *plaintext) { ctext = simple_digest("sha1",plaintext,strlen(plaintext), ... ); //Login if hash matches stored hash if (equal(ctext, secret_password())) { login_user(); } }

Notes

No notes available.

← Back to CWE list