CWE-308 (Use of Single-factor Authentication) is a common software weakness type identified by the CWE (Common Weakness Enumeration) dictionary. It helps developers understand security flaws and how to mitigate them.

What is the difference between CVE and CWE?

CWE refers to the type of software weakness (the root cause), while CVE refers to a specific instance of a vulnerability in a particular product or system.

CWE-308

Use of Single-factor Authentication

High Risk

Weakness Description

The product uses an authentication algorithm that uses a single factor (e.g., a password) in a security context that should require more than one factor.

Potential Mitigations

Architecture and Design

Use multiple independent authentication schemes, which ensures that -- if one of the methods is compromised -- the system itself is still likely safe from compromise. For this reason, if multiple schemes are possible, they should be implemented and required -- especially if they are easy to use.

Common Consequences

Access Control

Bypass Protection Mechanism

If the secret in a single-factor authentication scheme gets compromised, full authentication is possible.

Related Weaknesses

CWE-1390 CWE-654 CWE-309

Related Resources

Browse CWE Database

Explore 493 software weaknesses

CVE Database

Search 294,000+ vulnerabilities

Security Writeups

Learn from real-world examples

About 4nuxd

Cybersecurity research & tools

Contact Us

Get in touch for collaboration

Homepage

Explore more security resources