081 – Lack of multi-factor authentication

Description

Critical services of the system, such as databases, shared resources containing sensitive information and web services, are not protected by a multi-factor authentication mechanism. This makes it easier for an attacker who has compromised a user's account to access those resources.

Impact

Multi-factor authentication is flawed to the point where it can be bypassed entirely.

Recommendation

Implement a double factor authentication by software or hardware to increase the protection level of the resources authentication.

Threat

Authenticated attacker from the Internet.

Expected Remediation Time

15 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: L
• Attack Requirements: N
• Privileges required: L
• User interaction: N
• Confidentiality (VC): H
• Integrity (VI): L
• Availability (VA): L
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: X

Requirements

• 229 - Request access credentials
• 231 - Implement a biometric verification component
• 264 - Request authentication
• 319 - Make authentication options equally secure
• 328 - Request MFA for critical systems

Fixes

• Cloudformation
• Csharp
• Go
• Java
• Ruby
• Scala

Last updated

2024/02/12