Corgea LogoCorgea Security Hub

CWE-308: Use of Single-factor Authentication

Learn about CWE-308 (Use of Single-factor Authentication), its security impact, exploitation methods, and prevention guidelines.

What is Use of Single-factor Authentication?

• Overview: Use of Single-factor Authentication (CWE-308) is a security vulnerability where authentication relies on only one factor, often a password, which increases the risk of unauthorized access if that factor is compromised.

• Exploitation Methods:

  • Attackers can exploit this vulnerability by stealing, guessing, or cracking passwords.
  • Common attack patterns include phishing, brute force attacks, and password spraying.

• Security Impact:

  • Direct consequences include unauthorized access to user accounts and sensitive data.
  • Potential cascading effects involve access to additional systems or data through lateral movement.
  • Business impact can include data breaches, financial loss, reputational damage, and legal penalties.

• Prevention Guidelines:

  • Implement multi-factor authentication (MFA) to require an additional verification method.
  • Use strong, unique passwords and encourage users to do the same by enforcing password policies.
  • Employ security frameworks and tools that support MFA, such as OAuth 2.0, OpenID Connect, or SAML.
  • Regularly review and update authentication mechanisms to incorporate the latest security practices.

Corgea can automatically detect and fix Use of Single-factor Authentication in your codebase. Try Corgea free today.

Technical Details

Likelihood of Exploit: High

Affected Languages: Not Language-Specific

Affected Technologies: Not specified

Vulnerable Code Example

from flask import Flask, request

app = Flask(__name__)

# In-memory user data for demonstration purposes
users = {
    "alice": "password123",
    "bob": "mysecurepassword"
}

@app.route('/login', methods=['POST'])
def login():
    # Single-factor authentication: only a password is checked
    username = request.form['username']
    password = request.form['password']
    if username in users and users[username] == password:
        return "Login successful!", 200
    return "Invalid credentials", 401

if __name__ == '__main__':
    app.run()

Explanation:

  • The above code implements a simple user authentication mechanism using only a username and password.
  • It uses single-factor authentication, which is vulnerable to attacks such as brute force, credential stuffing, or phishing because it relies solely on something the user knows (the password).

How to fix Use of Single-factor Authentication?

To enhance security, implement multi-factor authentication (MFA), which requires users to provide two or more verification factors to gain access. This approach significantly reduces the risk of account compromise by adding an additional layer of security. The common factors include:

  1. Something you know: Password or PIN.
  2. Something you have: A physical device such as a smartphone or hardware token.
  3. Something you are: Biometrics like fingerprints or facial recognition.

Steps to Implement MFA:

  1. Generate a Time-based One-Time Password (TOTP): Use libraries like pyotp to generate and validate one-time passwords.
  2. Send TOTP to User's Device: Ensure the user receives the TOTP securely via SMS, email, or an authenticator app.
  3. Validate TOTP: Check the TOTP provided by the user in addition to their password.

Fixed Code Example

from flask import Flask, request
import pyotp  # Import pyotp for TOTP generation and validation

app = Flask(__name__)

# In-memory user data with TOTP secrets for demonstration
users = {
    "alice": {"password": "password123", "totp_secret": "JBSWY3DPEHPK3PXP"},
    "bob": {"password": "mysecurepassword", "totp_secret": "JBSWY3DPEHPK3PXP"}
}

@app.route('/login', methods=['POST'])
def login():
    username = request.form['username']
    password = request.form['password']
    # Check if the username exists and the password matches
    if username in users and users[username]["password"] == password:
        # Create a TOTP object using the user's secret
        totp = pyotp.TOTP(users[username]["totp_secret"])
        token = request.form.get('totp')  # Get the TOTP from the user
        # Validate the TOTP
        if totp.verify(token):
            return "Login successful with MFA!", 200
        else:
            return "Invalid TOTP", 401
    return "Invalid credentials", 401

if __name__ == '__main__':
    app.run()

Explanation:

  • The fixed code now includes multi-factor authentication by using TOTP.
  • Each user has a unique totp_secret used to generate a time-based one-time password.
  • The user must provide both the correct password and TOTP to successfully log in, enhancing security by requiring something the user knows (password) and something they have (TOTP).
Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-308: Use of Single-factor Authentication and get remediation guidance

Start for free and no credit card needed.