Lack of multi-factor authentication
Description
Critical services of the system, such as databases, shared resources containing sensitive information and web services, are not protected by a multi-factor authentication mechanism. This makes it easier for an attacker who has compromised a user's account to access those resources.
Impact
Multi-factor authentication is flawed to the point where it can be bypassed entirely.
Recommendation
Implement a double factor authentication by software or hardware to increase the protection level of the resources authentication.
Threat
Authenticathed attacker from the Internet.
Expected Remediation Time
⌚ 15 minutes.
Score
Default score using CVSS 3.1. It may change depending on the context of the vulnerability.
Base
- Attack vector: N
- Attack complexity: L
- Privileges required: L
- User interaction: N
- Scope: U
- Confidentiality: H
- Integrity: L
- Availability: L
Temporal
- Exploit code madurity: X
- Remediation level: O
- Report confidence: X
Result
- Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L/E:X/RL:O/RC:X
- Score:
- Base: 7.6
- Temporal: 7.3
- Severity:
- Base: High
- Temporal: High
Code Examples
Compliant code
All resources should be set up to allow multi-factor authentication
resource "aws_s3_bucket" "bucket" {
bucket = "some_test_bucket"
acl = "private"
versioning {
enabled = true
mfa_delete = true
}
}
Non compliant code
Some resources do not allow multi-factor authentication
resource "aws_s3_bucket" "bucket" {
bucket = "some_test_bucket"
acl = "private"
versioning {
enabled = false
mfa_delete = true
}
}
Requirements
- 229. Request access credentials
- 231. Implement a biometric verification component
- 264. Request authentication
- 319. Make authentication options equally secure
- 328. Request MFA for critical systems
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.