Skip to main content

Lack of multi-factor authentication


Critical services of the system, such as databases, shared resources containing sensitive information and web services, are not protected by a multi-factor authentication mechanism. This makes it easier for an attacker who has compromised a user's account to access those resources.


Multi-factor authentication is flawed to the point where it can be bypassed entirely.


Implement a double factor authentication by software or hardware to increase the protection level of the resources authentication.


Authenticathed attacker from the Internet.

Expected Remediation Time

⌚ 15 minutes.


Default score using CVSS 3.1. It may change depending on the context of the vulnerability.


  • Attack vector: N
  • Attack complexity: L
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: H
  • Integrity: L
  • Availability: L


  • Exploit code madurity: X
  • Remediation level: O
  • Report confidence: X


  • Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L/E:X/RL:O/RC:X
  • Score:
    • Base: 7.6
    • Temporal: 7.3
  • Severity:
    • Base: High
    • Temporal: High

Code Examples

Compliant code

All resources should be set up to allow multi-factor authentication

resource "aws_s3_bucket" "bucket" {
bucket = "some_test_bucket"
acl = "private"
versioning {
enabled = true
mfa_delete = true

Non compliant code

Some resources do not allow multi-factor authentication

resource "aws_s3_bucket" "bucket" {
bucket = "some_test_bucket"
acl = "private"
versioning {
enabled = false
mfa_delete = true


free trial

Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.