Weakness reference
CWE-308

Use of Single-Factor Authentication

Single-factor authentication relies on only one method—typically a password—to verify a user's identity. This approach is inherently weaker than multi-factor…

01Summary

Single-factor authentication relies on only one method—typically a password—to verify a user's identity. This approach is inherently weaker than multi-factor authentication (MFA) because a compromised password is the only barrier between an attacker and full account access. For accounts with elevated privileges or access to sensitive data, single-factor authentication significantly increases the risk of unauthorized access.

02How It Happens

Single-factor authentication becomes a weakness when an application or service treats a password as sufficient proof of identity, with no additional verification step. Passwords are vulnerable to compromise through phishing, credential stuffing, weak user choices, or interception over unencrypted channels. Once a password is stolen or guessed, an attacker gains immediate access without any secondary check—such as a code from an authenticator app, a hardware token, or biometric verification—that would block unauthorized entry even if the password is known.

This weakness is especially acute in systems that handle sensitive operations: administrative panels, financial transactions, healthcare records, or accounts that can modify other users' data. The absence of a second factor means the entire security posture depends on the strength and secrecy of a single credential.

03Real-World Impact

Compromised passwords lead directly to account takeover. An attacker with a stolen password can log in as the legitimate user, access or modify sensitive data, perform unauthorized transactions, or escalate privileges. For administrative accounts, this can result in full system compromise. For end-user accounts, it may enable identity theft, fraud, or lateral movement to other services that share the same password. The impact scales with the sensitivity of the account and the data it controls.

04Vulnerable & Fixed Patterns

Vulnerable pattern
import sqlite3

def authenticate_user(username, password):
    conn = sqlite3.connect('users.db')
    cursor = conn.cursor()
    cursor.execute(
        'SELECT * FROM users WHERE username = ? AND password = ?',
        (username, password)
    )
    user = cursor.fetchone()
    conn.close()
    
    if user:
        return True  # Login successful
    return False

Why it's vulnerable:
The function accepts only a username and password. Once the password is verified, access is granted immediately with no secondary authentication step. A stolen password is sufficient for full account compromise.

Fixed pattern
import sqlite3
import pyotp
import time

def authenticate_user(username, password, totp_code):
    conn = sqlite3.connect('users.db')
    cursor = conn.cursor()
    cursor.execute(
        'SELECT password_hash, totp_secret FROM users WHERE username = ?',
        (username,)
    )
    user = cursor.fetchone()
    conn.close()
    
    if not user:
        return False
    
    # Verify password (using proper hashing in production)
    if user[0] != password:
        return False
    
    # Verify TOTP code (second factor)
    totp = pyotp.TOTP(user[1])
    if not totp.verify(totp_code):
        return False
    
    return True  # Login successful only after both factors verified
Vulnerable pattern
<?php
$username = $_POST['username'];
$password = $_POST['password'];

$conn = new mysqli('localhost', 'user', 'pass', 'app_db');
$result = $conn->query(
    "SELECT id FROM users WHERE username = '$username' AND password = '$password'"
);

if ($result->num_rows > 0) {
    $_SESSION['user_id'] = $result->fetch_assoc()['id'];
    echo "Login successful";
} else {
    echo "Invalid credentials";
}
?>

Why it's vulnerable:
The script checks only the username and password. Upon a match, the user is immediately logged in. There is no second authentication factor, and a stolen password grants full access.

Fixed pattern
<?php
$username = $_POST['username'];
$password = $_POST['password'];
$totp_code = $_POST['totp_code'];

$conn = new mysqli('localhost', 'user', 'pass', 'app_db');
$stmt = $conn->prepare('SELECT id, totp_secret FROM users WHERE username = ?');
$stmt->bind_param('s', $username);
$stmt->execute();
$result = $stmt->get_result();

if ($result->num_rows > 0) {
    $user = $result->fetch_assoc();
    // Verify password (use password_verify() with hashed passwords in production)
    if (password_verify($password, $user['password_hash'])) {
        // Verify TOTP code (second factor)
        require 'vendor/autoload.php';
        $totp = new \OTPHP\TOTP($user['totp_secret']);
        if ($totp->verify($totp_code)) {
            $_SESSION['user_id'] = $user['id'];
            echo "Login successful";
        } else {
            echo "Invalid authentication code";
        }
    } else {
        echo "Invalid credentials";
    }
} else {
    echo "Invalid credentials";
}
?>

05Prevention Checklist

Implement multi-factor authentication (MFA)
for all user accounts, especially administrative and privileged accounts. Support at least one additional factor such as TOTP, SMS, or hardware tokens.
Enforce MFA for sensitive operations
even if general login uses only a password—require a second factor for password changes, permission modifications, or access to restricted data.
Use strong password policies
(minimum length, complexity requirements) and enforce password managers to reduce reliance on user memory and weak choices.
Monitor and log authentication attempts
, including failed logins and MFA challenges, to detect and alert on suspicious patterns.
Educate users
about phishing and credential compromise; provide clear guidance on enabling MFA and protecting their authentication devices.
Consider passwordless authentication
(e.g., WebAuthn, passkeys) for new systems to eliminate password compromise as a single point of failure.

06Signs You May Already Be Affected

Review your authentication logs for unusual login patterns: logins from unexpected geographic locations, multiple failed attempts followed by a successful login, or logins at unusual times. Check for unexpected administrative accounts or permission changes. If your application does not prompt users for a second authentication factor during login or sensitive operations, you are relying on single-factor authentication and should prioritize MFA implementation.

07Related Recent Vulnerabilities