Authentication / Insecure or Invalid MFA Factor

Description

Insecure or invalid MFA factor is a security vulnerability that occurs when an application employs multi-factor authentication, but one of the additional factors is either considered insecure by current standards (e.g. SMS- or email-based authentication) or invalid due to falling in the same category as another factor (e.g. both factors are knowledge-based).

Risk

Insecure or invalid MFA factor can weaken the security of a multi-factor authentication system and possibly allow an attacker to gain access to an account or system more easily or without additional hurdles. For example, the attacker might be able to intercept SMS messages in order to gain access to the verification codes. Another example could be that the attacker already has compromised login sessions on a single device of the victim, including their mail account, and can therefore receive An attacker can then use the gained privileges to achieve various goals.

Solution

To mitigate the vulnerability, only secure factors should be used for multi-factor authentication, and each factor should be in a different category (e.g. knowledge, possession, biometric/inherent). Secure factors include e.g. hardware tokens or authenticator apps.