{"@ID": "308", "@Name": "Use of Single-factor Authentication", "@Abstraction": "Base", "@Structure": "Simple", "@Status": "Draft", "@Diagram": "/data/images/CWE-308-Diagram.png", "Description": "The product uses an authentication algorithm that uses a single factor (e.g., a password) in a security context that should require more than one factor.", "Related_Weaknesses": {"Related_Weakness": [{"@Nature": "ChildOf", "@CWE_ID": "1390", "@View_ID": "1000", "@Ordinal": "Primary"}, {"@Nature": "ChildOf", "@CWE_ID": "654", "@View_ID": "1000"}, {"@Nature": "PeerOf", "@CWE_ID": "309", "@View_ID": "1000"}]}, "Weakness_Ordinalities": {"Weakness_Ordinality": {"Ordinality": "Primary"}}, "Applicable_Platforms": {"Language": {"@Class": "Not Language-Specific", "@Prevalence": "Undetermined"}}, "Modes_Of_Introduction": {"Introduction": {"Phase": "Architecture and Design", "Note": "COMMISSION: This weakness refers to an incorrect design related to an architectural security tactic."}}, "Likelihood_Of_Exploit": "High", "Common_Consequences": {"Consequence": {"Scope": "Access Control", "Impact": "Bypass Protection Mechanism", "Note": "If the secret in a single-factor authentication scheme gets compromised, full authentication is possible."}}, "Potential_Mitigations": {"Mitigation": {"Phase": "Architecture and Design", "Description": "Use multiple independent authentication schemes, which ensures that -- if one of the methods is compromised -- the system itself is still likely safe from compromise. For this reason, if multiple schemes are possible, they should be implemented and required -- especially if they are easy to use."}}, "Demonstrative_Examples": {"Demonstrative_Example": {"@Demonstrative_Example_ID": "DX-101", "Intro_Text": "In both of these examples, a user is logged in if their given password matches a stored password:", "Example_Code": [{"@Nature": "Bad", "@Language": "C", "xhtml:div": {"xhtml:div": {"@style": "margin-left:1em;", "xhtml:br": [null, null], "xhtml:i": "//Login if hash matches stored hash", "xhtml:div": {"@style": "margin-left:1em;", "#text": "login_user();"}, "#text": "ctext = simple_digest(\"sha1\",plaintext,strlen(plaintext), ... );\n                        \n                        if (equal(ctext, secret_password())) {}"}, "#text": "unsigned char *check_passwd(char *plaintext) {}"}}, {"@Nature": "Bad", "@Language": "Java", "xhtml:div": {"xhtml:br": [null, null, null, null, null], "xhtml:i": "//Login if hash matches stored hash", "xhtml:div": {"@style": "margin-left:1em;", "#text": "login_user();"}, "#text": "String plainText = new String(plainTextIn);MessageDigest encer = MessageDigest.getInstance(\"SHA\");encer.update(plainTextIn);byte[] digest = password.digest();\n                     \n                     if (equal(digest,secret_password())) {}"}}], "Body_Text": "This code relies exclusively on a password mechanism (CWE-309) using only one factor of authentication (CWE-308). If an attacker can steal or guess a user's password, they are given full access to their account. Note this code also uses SHA-1, which is a weak hash (CWE-328).  It also does not use a salt (CWE-759)."}}, "Observed_Examples": {"Observed_Example": {"Reference": "CVE-2022-35248", "Description": "Chat application skips validation when Central Authentication Service\n\t\t\t (CAS) is enabled, effectively removing the second factor from\n\t\t\t two-factor authentication", "Link": "https://www.cve.org/CVERecord?id=CVE-2022-35248"}}, "Taxonomy_Mappings": {"Taxonomy_Mapping": {"@Taxonomy_Name": "CLASP", "Entry_Name": "Using single-factor authentication"}}, "Related_Attack_Patterns": {"Related_Attack_Pattern": [{"@CAPEC_ID": "16"}, {"@CAPEC_ID": "49"}, {"@CAPEC_ID": "509"}, {"@CAPEC_ID": "55"}, {"@CAPEC_ID": "555"}, {"@CAPEC_ID": "560"}, {"@CAPEC_ID": "561"}, {"@CAPEC_ID": "565"}, {"@CAPEC_ID": "600"}, {"@CAPEC_ID": "644"}, {"@CAPEC_ID": "645"}, {"@CAPEC_ID": "652"}, {"@CAPEC_ID": "653"}, {"@CAPEC_ID": "70"}]}, "References": {"Reference": {"@External_Reference_ID": "REF-18"}}, "Mapping_Notes": {"Usage": "Allowed", "Rationale": "This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.", "Comments": "Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.", "Reasons": {"Reason": {"@Type": "Acceptable-Use"}}}, "Notes": {"Note": {"@Type": "Other", "#text": "While the use of multiple authentication schemes is simply piling on more complexity on top of authentication, it is inestimably valuable to have such measures of redundancy. The use of weak, reused, and common passwords is rampant on the internet."}}, "Content_History": {"Submission": {"Submission_Name": "CLASP", "Submission_Date": "2006-07-19", "Submission_Version": "Draft 3", "Submission_ReleaseDate": "2006-07-19"}, "Modification": [{"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2008-09-08", "Modification_Version": "1.0", "Modification_ReleaseDate": "2008-09-09", "Modification_Comment": "updated Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2010-02-16", "Modification_Version": "1.8", "Modification_ReleaseDate": "2010-02-16", "Modification_Comment": "updated Description, Other_Notes"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2011-06-01", "Modification_Version": "1.13", "Modification_ReleaseDate": "2011-06-01", "Modification_Comment": "updated Common_Consequences"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-05-11", "Modification_Version": "2.2", "Modification_ReleaseDate": "2012-05-15", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2012-10-30", "Modification_Version": "2.3", "Modification_ReleaseDate": "2012-10-30", "Modification_Comment": "updated Demonstrative_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2014-07-30", "Modification_Version": "2.8", "Modification_ReleaseDate": "2014-07-31", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2017-11-08", "Modification_Version": "3.0", "Modification_ReleaseDate": "2017-11-08", "Modification_Comment": "updated Applicable_Platforms, Modes_of_Introduction, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2018-03-27", "Modification_Version": "3.1", "Modification_ReleaseDate": "2018-03-27", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-02-24", "Modification_Version": "4.0", "Modification_ReleaseDate": "2020-02-24", "Modification_Comment": "updated References, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2020-08-20", "Modification_Version": "4.2", "Modification_ReleaseDate": "2020-08-20", "Modification_Comment": "updated Related_Attack_Patterns"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2021-03-15", "Modification_Version": "4.4", "Modification_ReleaseDate": "2021-03-15", "Modification_Comment": "updated Demonstrative_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2022-10-13", "Modification_Version": "4.9", "Modification_ReleaseDate": "2022-10-13", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-04-27", "Modification_Version": "4.11", "Modification_ReleaseDate": "2023-04-27", "Modification_Comment": "updated Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-06-29", "Modification_Version": "4.12", "Modification_ReleaseDate": "2023-06-29", "Modification_Comment": "updated Mapping_Notes, Relationships"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2023-10-26", "Modification_Version": "4.13", "Modification_ReleaseDate": "2023-10-26", "Modification_Comment": "updated Observed_Examples"}, {"Modification_Name": "CWE Content Team", "Modification_Organization": "MITRE", "Modification_Date": "2025-12-11", "Modification_Version": "4.19", "Modification_ReleaseDate": "2025-12-11", "Modification_Comment": "updated Description, Diagram, Other_Notes, Potential_Mitigations, Relationships, Weakness_Ordinalities"}], "Previous_Entry_Name": {"@Date": "2008-04-11", "#text": "Using Single-factor Authentication"}}}
