Reliance on a Single Factor in a Security Decision
Draft Base
Structure: Simple
Description
A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrity of a single object or entity in order to make a decision about granting access to restricted resources or functionality.
Common Consequences 2
Scope: Access Control
Impact: Gain Privileges or Assume Identity
If the single factor is compromised (e.g. by theft or spoofing), then the integrity of the entire security mechanism can be violated with respect to the user that is identified by that factor.
Scope: Non-Repudiation
Impact: Hide Activities
It can become difficult or impossible for the product to be able to distinguish between legitimate activities by the entity who provided the factor, versus illegitimate activities by an attacker.
Potential Mitigations 2
Phase: Architecture and Design
Use multiple simultaneous checks before granting access to critical operations or granting critical privileges. A weaker but helpful mitigation is to use several successive checks (multiple layers of security).
Phase: Architecture and Design
Use redundant access rules on different choke points (e.g., firewalls).
Demonstrative Examples 2
Password-only authentication is perhaps the most well-known example of use of a single factor. Anybody who knows a user's password can impersonate that user.
When authenticating, use multiple factors, such as "something you know" (such as a password) and "something you have" (such as a hardware-based one-time password generator, or a biometric device).
Observed Examples 1
CVE-2022-35248Chat application skips validation when Central Authentication Service (CAS) is enabled, effectively removing the second factor from two-factor authentication
References 2
The Protection of Information in Computer Systems
Jerome H. Saltzer and Michael D. Schroeder
Proceedings of the IEEE 63
09-1975
ID: REF-196
Separation of Privilege
Sean Barnum and Michael Gegick
06-12-2005
ID: REF-535
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Architecture and Design
Implementation
Operation
Related Attack Patterns
- 16Configuration
- 49Path Equivalence: 'filename/' (Trailing Slash)
- 55Path Equivalence: '/./' (Single Dot Directory)
- 70DEPRECATED: Mac Virtual File Problems
- 274Improper Handling of Insufficient Privileges
- 560Use of umask() with chmod-style Argument
- 565Reliance on Cookies without Validation and Integrity Checking
- 600Uncaught Exception in Servlet
- 652Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
- 653Improper Isolation or Compartmentalization
Alternate Terms
Separation of Privilege
Some people and publications use the term "Separation of Privilege" to describe this weakness, but this term has dual meanings in current usage. While this entry is closely associated with the original definition of "Separation of Privilege" by Saltzer and Schroeder, others use the same term to describe poor compartmentalization (Improper Isolation or Compartmentalization). Because there are multiple interpretations, use of the "Separation of Privilege" term is discouraged.Related Weaknesses
Taxonomy Mapping
- ISA/IEC 62443
- ISA/IEC 62443
- ISA/IEC 62443
Notes
MaintenanceThis entry is closely associated with the term "Separation of Privilege." This term is used in several different ways in the industry, but they generally combine two closely related principles: compartmentalization (Improper Isolation or Compartmentalization) and using only one factor in a security decision (this entry). Proper compartmentalization implicitly introduces multiple factors into a security decision, but there can be cases in which multiple factors are required for authentication or other mechanisms that do not involve compartmentalization, such as performing all required checks on a submitted certificate. It is likely that Improper Isolation or Compartmentalization and Reliance on a Single Factor in a Security Decision will provoke further discussion.