CWE-308: Use of Single-factor Authentication

BaseDraftExploit Likelihood: High

The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme.

View on MITRE
Back to CWE Lookup

Extended Description

While the use of multiple authentication schemes is simply piling on more complexity on top of authentication, it is inestimably valuable to have such measures of redundancy. The use of weak, reused, and common passwords is rampant on the internet. Without the added protection of multiple authentication schemes, a single mistake can result in the compromise of an account. For this reason, if multiple schemes are possible and also easy to use, they should be implemented and required.

Technical Details

Structure
Simple

Applicable To

Languages
Not Language-Specific
Platforms

Frequently Asked Questions

What is CWE-308: Use of Single-factor Authentication?+

CWE-308: Use of Single-factor Authentication is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme. While the use of multiple authentication schemes is simply piling on more complexity on top of authentication, it is inestimably valuable to have such measures of redundancy. The use of weak, reused, and common passwords is rampant on the internet. Without the added protection of multiple authentication schemes, a single mistake can result in the compromise of an account. For this reason, if multiple schemes are possible and also easy to use, they should be implemented and required.

What are the security consequences of Use of Single-factor Authentication?+

If exploited, CWE-308 (Use of Single-factor Authentication) it can compromise Access Control, leading to outcomes such as Bypass Protection Mechanism.

How do you prevent or mitigate Use of Single-factor Authentication?+

Recommended mitigations for CWE-308 include: Use multiple independent authentication schemes, which ensures that -- if one of the methods is compromised -- the system itself is still likely safe from compromise.

Which programming languages are affected by Use of Single-factor Authentication?+

CWE-308 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Use of Single-factor Authentication?+

MITRE documents real CVEs mapped to CWE-308, including CVE-2022-35248. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-308 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More

CWE-308: Use of Single-factor Authentication | CWE Lookup | InventiveHQ