Reliance on a Single Factor in a Security Decision| ID: 654 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: DRAFT |
| Abstraction Type: Base |
Description
A protection mechanism relies exclusively, or to a large
extent, on the evaluation of a single condition or the integrity of a single
object or entity in order to make a decision about granting access to restricted
resources or functionality.
Applicable PlatformsLanguage Class: All
Time Of Introduction
- Architecture and Design
- Implementation
- Operation
Related Attack Patterns
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| Access_Control | Gain privileges / assume
identity | If the single factor is compromised (e.g. by theft or spoofing), then
the integrity of the entire security mechanism can be violated with
respect to the user that is identified by that factor. |
| Non-Repudiation | Hide activities | It can become difficult or impossible for the product to be able to
distinguish between legitimate activities by the entity who provided the
factor, versus illegitimate activities by an attacker. |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| Architecture and Design | | Use multiple simultaneous checks before granting access to critical
operations or granting critical privileges. A weaker but helpful
mitigation is to use several successive checks (multiple layers of
security). | | |
| | | Use redundant access rules on different choke points (e.g.,
firewalls). | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-654 ChildOf CWE-907 | Category | CWE-888 | |
Demonstrative Examples (Details)
- Password-only authentication is perhaps the most well-known example
of use of a single factor. Anybody who knows a user's password can
impersonate that user.
- When authenticating, use multiple factors, such as "something you
know" (such as a password) and "something you have" (such as a
hardware-based one-time password generator, or a biometric
device).
White Box Definitions None
Black Box Definitions None
Taxynomy MappingsNone
References:
- Jerome H. Saltzer Michael D. Schroeder .The Protection of Information in Computer
Systems. Proceedings of the IEEE 63. Published on September, 1975.
- Sean Barnum Michael Gegick .Separation of Privilege. Published on 2005-12-06.
