Use of Single-factor Authentication
The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme.
While the use of multiple authentication schemes is simply piling on more complexity on top of authentication, it is inestimably valuable to have such measures of redundancy. The use of weak, reused, and common passwords is rampant on the internet. Without the added protection of multiple authentication schemes, a single mistake can result in the compromise of an account. For this reason, if multiple schemes are possible and also easy to use, they should be implemented and required.
Impact: Bypass Protection Mechanism
If the secret in a single-factor authentication scheme gets compromised, full authentication is possible.
ID : DX-101
In both of these examples, a user is logged in if their given password matches a stored password:Code Example:
c//Login if hash matches stored hash* if (equal(ctext, secret_password())) { ``` login_user(); } }
Code Example:
java//Login if hash matches stored hash* if (equal(digest,secret_password())) { ``` login_user(); }
High
- 16Configuration
- 49Path Equivalence: 'filename/' (Trailing Slash)
- 55Path Equivalence: '/./' (Single Dot Directory)
- 70DEPRECATED: Mac Virtual File Problems
- 509Replicating Malicious Code (Virus or Worm)
- 555J2EE Misconfiguration: Plaintext Password in Configuration File
- 560Use of umask() with chmod-style Argument
- 561Dead Code
- 565Reliance on Cookies without Validation and Integrity Checking
- 600Uncaught Exception in Servlet
- 644Improper Neutralization of HTTP Headers for Scripting Syntax
- 645Overly Restrictive Account Lockout Mechanism
- 652Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
- 653Improper Isolation or Compartmentalization
- CLASP