logo

Use of Single-factor Authentication

Draft Base
Structure: Simple
Description

Relying solely on single-factor authentication, like a password, exposes systems to significant security risks because it depends on only one type of proof for verifying a user's identity.

Extended Description

Single-factor authentication creates a single point of failure. Since passwords are often weak, reused, or stolen, a single breach can lead directly to full account compromise. Implementing a second factor, such as a code from an app or a hardware token, adds a critical layer of defense that drastically reduces this risk. While adding authentication methods increases complexity, the security benefit is substantial. For any application handling sensitive data, requiring multi-factor authentication (MFA) is a best practice. It should be implemented wherever feasible, especially when the additional factors are user-friendly and do not overly hinder the login experience.
Common Consequences 1
Scope: Access Control

Impact: Bypass Protection Mechanism

If the secret in a single-factor authentication scheme gets compromised, full authentication is possible.
Potential Mitigations 1
Phase: Architecture and Design
Use multiple independent authentication schemes, which ensures that -- if one of the methods is compromised -- the system itself is still likely safe from compromise.
Demonstrative Examples 1

ID : DX-101

In both of these examples, a user is logged in if their given password matches a stored password:

Code Example:

Bad
C
c

//Login if hash matches stored hash* if (equal(ctext, secret_password())) { ``` login_user(); } }

Code Example:
Bad
Java
java


//Login if hash matches stored hash*
if (equal(digest,secret_password())) {
```
login_user();
}


This code relies exclusively on a password mechanism (Use of Password System for Primary Authentication) using only one factor of authentication (Use of Single-factor Authentication). If an attacker can steal or guess a user's password, they are given full access to their account. Note this code also uses SHA-1, which is a weak hash (Use of Weak Hash). It also does not use a salt (Use of a One-Way Hash without a Salt).
  
Observed Examples 1
CVE-2022-35248Chat application skips validation when Central Authentication Service (CAS) is enabled, effectively removing the second factor from two-factor authentication
  
References 1
The CLASP Application Security Process
Secure Software, Inc.
2005
https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf(2024-11-17)
ID: REF-18
 
  
  
 
 
Likelihood of Exploit 
 
 
 
 High 
 
 
  
 
 
Applicable Platforms 
 
 
 
 
 
Languages:
 
 
 Not Language-Specific : Undetermined 
  
  
 
 
 
  
 
 
Modes of Introduction 
 
 
 
 
 
  Architecture and Design  
 
 
 
  
Related Attack Patterns 
        
 
 
Related Weaknesses 
 
 
 
 
  ChildOf:
 Weak Authentication (CWE-1390) 
  ChildOf:
 Reliance on a Single Factor in a Security Decision (CWE-654) 
  PeerOf:
 Use of Password System for Primary Authentication (CWE-309) 
 
 
 
 
Taxonomy Mapping 
  • CLASP