1. Home
  2. CWE Database
  3. CWE-308
Base · Medium

CWE-308: Use of Single-factor Authentication

The product uses an authentication algorithm that uses a single factor (e.g., a password) in a security context that should require more than one factor.

CWE-308 · Base Level ·1 CVEs ·1 Mitigations

Description

The product uses an authentication algorithm that uses a single factor (e.g., a password) in a security context that should require more than one factor.

Potential Impact

Access Control

Bypass Protection Mechanism

Demonstrative Examples

In both of these examples, a user is logged in if their given password matches a stored password:
Bad
unsigned char *check_passwd(char *plaintext) {ctext = simple_digest("sha1",plaintext,strlen(plaintext), ... );
                        //Login if hash matches stored hash
                        if (equal(ctext, secret_password())) {login_user();}}
Bad
String plainText = new String(plainTextIn);MessageDigest encer = MessageDigest.getInstance("SHA");encer.update(plainTextIn);byte[] digest = password.digest();
                     //Login if hash matches stored hash
                     if (equal(digest,secret_password())) {login_user();}
This code relies exclusively on a password mechanism (CWE-309) using only one factor of authentication (CWE-308). If an attacker can steal or guess a user's password, they are given full access to their account. Note this code also uses SHA-1, which is a weak hash (CWE-328). It also does not use a salt (CWE-759).

Mitigations & Prevention

Architecture and Design

Use multiple independent authentication schemes, which ensures that -- if one of the methods is compromised -- the system itself is still likely safe from compromise. For this reason, if multiple schemes are possible, they should be implemented and required -- especially if they are easy to use.

Real-World CVE Examples

CVE IDDescription
CVE-2022-35248Chat application skips validation when Central Authentication Service (CAS) is enabled, effectively removing the second factor from two-factor authentication

CWE-1390: Weak Authentication

The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does ...

CWE-654: Reliance on a Single Factor in a Security Decision

A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrit...

CWE-309: Use of Password System for Primary Authentication

The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each...

Taxonomy Mappings

  • CLASP: — Using single-factor authentication

Frequently Asked Questions

What is CWE-308?

CWE-308 (Use of Single-factor Authentication) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product uses an authentication algorithm that uses a single factor (e.g., a password) in a security context that should require more than one factor.

How can CWE-308 be exploited?

Attackers can exploit CWE-308 (Use of Single-factor Authentication) to bypass protection mechanism. This weakness is typically introduced during the Architecture and Design phase of software development.

How do I prevent CWE-308?

Key mitigations include: Use multiple independent authentication schemes, which ensures that -- if one of the methods is compromised -- the system itself is still likely safe from compromise. For this reason, if multiple sche

What is the severity of CWE-308?

CWE-308 is classified as a Base-level weakness (Medium abstraction). It has been observed in 1 real-world CVEs.