Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CWE-308:Use of Single-factor Authentication
Weakness ID:308
Version:v4.17
Weakness Name:Use of Single-factor Authentication
Vulnerability Mapping:Allowed
Abstraction:Base
Structure:Simple
Status:Draft
Likelihood of Exploit:High
DetailsContent HistoryObserved CVE ExamplesReports
▼Description

The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme.

▼Extended Description

While the use of multiple authentication schemes is simply piling on more complexity on top of authentication, it is inestimably valuable to have such measures of redundancy. The use of weak, reused, and common passwords is rampant on the internet. Without the added protection of multiple authentication schemes, a single mistake can result in the compromise of an account. For this reason, if multiple schemes are possible and also easy to use, they should be implemented and required.

▼Alternate Terms
▼Relationships
Relevant to the view"Research Concepts - (1000)"
NatureMappingTypeIDName
ChildOfAllowed-with-ReviewC1390Weak Authentication
ChildOfAllowedB654Reliance on a Single Factor in a Security Decision
ParentOfAllowedB309Use of Password System for Primary Authentication
Nature: ChildOf
Mapping: Allowed-with-Review
Type: Class
ID: 1390
Name: Weak Authentication
Nature: ChildOf
Mapping: Allowed
Type: Base
ID: 654
Name: Reliance on a Single Factor in a Security Decision
Nature: ParentOf
Mapping: Allowed
Type: Base
ID: 309
Name: Use of Password System for Primary Authentication
▼Memberships
NatureMappingTypeIDName
MemberOfProhibitedV884CWE Cross-section
MemberOfProhibitedC947SFP Secondary Cluster: Authentication Bypass
MemberOfProhibitedC1010Authenticate Actors
MemberOfProhibitedC1028OWASP Top Ten 2017 Category A2 - Broken Authentication
MemberOfProhibitedC1211Authentication Errors
MemberOfProhibitedC1368ICS Dependencies (& Architecture): External Digital Systems
MemberOfProhibitedC1396Comprehensive Categorization: Access Control
Nature: MemberOf
Mapping: Prohibited
Type:View
ID: 884
Name: CWE Cross-section
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 947
Name: SFP Secondary Cluster: Authentication Bypass
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1010
Name: Authenticate Actors
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1028
Name: OWASP Top Ten 2017 Category A2 - Broken Authentication
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1211
Name: Authentication Errors
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1368
Name: ICS Dependencies (& Architecture): External Digital Systems
Nature: MemberOf
Mapping: Prohibited
Type:Category
ID: 1396
Name: Comprehensive Categorization: Access Control
▼Tags
NatureMappingTypeIDName
MemberOfProhibitedBSBOSS-274High likelihood of exploit
MemberOfProhibitedBSBOSS-294Not Language-Specific Weaknesses
MemberOfProhibitedBSBOSS-316Bypass Protection Mechanism (impact)
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-274
Name: High likelihood of exploit
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-294
Name: Not Language-Specific Weaknesses
Nature: MemberOf
Mapping: Prohibited
Type:BOSSView
ID: BOSS-316
Name: Bypass Protection Mechanism (impact)
▼Relevant To View
Relevant to the view"Architectural Concepts - (1008)"
NatureMappingTypeIDName
MemberOfProhibitedC1010Authenticate Actors
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 1010
Name: Authenticate Actors
Relevant to the view"Software Development - (699)"
NatureMappingTypeIDName
MemberOfProhibitedC1211Authentication Errors
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 1211
Name: Authentication Errors
Relevant to the view"SEI ETF Categories of Security Vulnerabilities in ICS - (1358)"
NatureMappingTypeIDName
MemberOfProhibitedC1368ICS Dependencies (& Architecture): External Digital Systems
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 1368
Name: ICS Dependencies (& Architecture): External Digital Systems
Relevant to the view"Software Fault Pattern (SFP) Clusters - (888)"
NatureMappingTypeIDName
MemberOfProhibitedC947SFP Secondary Cluster: Authentication Bypass
Nature: MemberOf
Mapping: Prohibited
Type: Category
ID: 947
Name: SFP Secondary Cluster: Authentication Bypass
▼Background Detail

▼Common Consequences
ScopeLikelihoodImpactNote
Access ControlN/ABypass Protection Mechanism

If the secret in a single-factor authentication scheme gets compromised, full authentication is possible.

Scope: Access Control
Likelihood: N/A
Impact: Bypass Protection Mechanism
Note:

If the secret in a single-factor authentication scheme gets compromised, full authentication is possible.

▼Potential Mitigations
Phase:Architecture and Design
Mitigation ID:
Strategy:
Effectiveness:
Description:

Use multiple independent authentication schemes, which ensures that -- if one of the methods is compromised -- the system itself is still likely safe from compromise.

Note:

▼Modes Of Introduction
Phase: Architecture and Design
Note:

COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic.

▼Applicable Platforms
Languages
Class: Not Language-Specific(Undetermined Prevalence)
▼Demonstrative Examples
Example 1

In both of these examples, a user is logged in if their given password matches a stored password:

Language: ( code)
N/A

Language: C(Bad code)
unsigned char *check_passwd(char *plaintext) { ctext = simple_digest("sha1",plaintext,strlen(plaintext), ... ); //Login if hash matches stored hash* if (equal(ctext, secret_password())) { login_user(); } }

Language: Java(Bad code)
String plainText = new String(plainTextIn); MessageDigest encer = MessageDigest.getInstance("SHA"); encer.update(plainTextIn); byte[] digest = password.digest(); //Login if hash matches stored hash* if (equal(digest,secret_password())) { login_user(); }

Language: ( code)
N/A

This code relies exclusively on a password mechanism (CWE-309) using only one factor of authentication (CWE-308). If an attacker can steal or guess a user's password, they are given full access to their account. Note this code also uses SHA-1, which is a weak hash (CWE-328). It also does not use a salt (CWE-759).

▼Observed Examples
ReferenceDescription
CVE-2022-35248
Chat application skips validation when Central Authentication Service (CAS) is enabled, effectively removing the second factor from two-factor authentication
Reference: CVE-2022-35248
Description:
Chat application skips validation when Central Authentication Service (CAS) is enabled, effectively removing the second factor from two-factor authentication
▼Affected Resources
    ▼Functional Areas
      ▼Weakness Ordinalities
      OrdinalityDescription
      ▼Detection Methods
      ▼Vulnerability Mapping Notes
      Usage:Allowed
      Reason:Acceptable-Use
      Rationale:

      This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

      Comments:

      Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

      Suggestions:
      ▼Notes
      ▼Taxonomy Mappings
      Taxonomy NameEntry IDFitEntry Name
      CLASPN/AN/AUsing single-factor authentication
      Taxonomy Name: CLASP
      Entry ID: N/A
      Fit: N/A
      Entry Name: Using single-factor authentication
      ▼Related Attack Patterns
      IDName
      CAPEC-16
      Dictionary-based Password Attack
      CAPEC-49
      Password Brute Forcing
      CAPEC-509
      Kerberoasting
      CAPEC-55
      Rainbow Table Password Cracking
      CAPEC-555
      Remote Services with Stolen Credentials
      CAPEC-560
      Use of Known Domain Credentials
      CAPEC-561
      Windows Admin Shares with Stolen Credentials
      CAPEC-565
      Password Spraying
      CAPEC-600
      Credential Stuffing
      CAPEC-644
      Use of Captured Hashes (Pass The Hash)
      CAPEC-645
      Use of Captured Tickets (Pass The Ticket)
      CAPEC-652
      Use of Known Kerberos Credentials
      CAPEC-653
      Use of Known Operating System Credentials
      CAPEC-70
      Try Common or Default Usernames and Passwords
      ID: CAPEC-16
      Name: Dictionary-based Password Attack
      ID: CAPEC-49
      Name: Password Brute Forcing
      ID: CAPEC-509
      Name: Kerberoasting
      ID: CAPEC-55
      Name: Rainbow Table Password Cracking
      ID: CAPEC-555
      Name: Remote Services with Stolen Credentials
      ID: CAPEC-560
      Name: Use of Known Domain Credentials
      ID: CAPEC-561
      Name: Windows Admin Shares with Stolen Credentials
      ID: CAPEC-565
      Name: Password Spraying
      ID: CAPEC-600
      Name: Credential Stuffing
      ID: CAPEC-644
      Name: Use of Captured Hashes (Pass The Hash)
      ID: CAPEC-645
      Name: Use of Captured Tickets (Pass The Ticket)
      ID: CAPEC-652
      Name: Use of Known Kerberos Credentials
      ID: CAPEC-653
      Name: Use of Known Operating System Credentials
      ID: CAPEC-70
      Name: Try Common or Default Usernames and Passwords
      ▼References
      Reference ID: REF-18
      Title: The CLASP Application Security Process
      Author: Secure Software, Inc.
      Section:
      Publication:
      Publisher:
      Edition:
      URL:https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf
      URL Date:2024-11-17
      Day:N/A
      Month:N/A
      Year:2005
      Details not found