保護DataHogo
Security Encyclopedia/Auth Best Practices
lowCWE-308A07:2021

No MFA/2FA

Without multi-factor authentication, a stolen or guessed password is all it takes to fully compromise an account.

How It Works

MFA requires a second factor (TOTP code, SMS, hardware key) in addition to password. Even if an attacker has a user's password from a breach, they can't log in without the second factor. Microsoft reported in 2023 that MFA blocks 99.9% of account compromise attacks.

Vulnerable Code
// BAD: single-factor authentication only
async function login(email: string, password: string) {
  const user = await verifyPassword(email, password);
  if (!user) throw new Error('Invalid credentials');
  return createSession(user); // one factor = compromised if password leaks
}
Secure Code
// GOOD: require TOTP as second factor for sensitive accounts
async function login(email: string, password: string, totpCode?: string) {
  const user = await verifyPassword(email, password);
  if (!user) throw new Error('Invalid credentials');
  if (user.mfaEnabled) {
    if (!totpCode || !verifyTOTP(user.totpSecret, totpCode))
      throw new Error('MFA code required');
  }
  return createSession(user);
}

Real-World Example

The 2020 Twitter hack compromised 130 high-profile accounts (Obama, Musk, Biden). Twitter's internal admin tools had no MFA requirement. One social engineering call to an employee gave attackers full control.

How to Prevent It

  • Offer TOTP-based 2FA (Google Authenticator, Authy) — it's free to implement with speakeasy or otplib
  • Require MFA for admin accounts and accounts with access to sensitive data
  • Offer WebAuthn/passkeys as a phishing-resistant alternative to TOTP
  • Show users how many active sessions they have and make 2FA setup easy and visible in settings

Affected Technologies

Node.js

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

No Password Policy

medium

Accepting any password — including '123' or 'a' — makes your user accounts trivially vulnerable to credential stuffing and brute force attacks.

CWE-521A07:2021

No Rate Limit on Login

medium

A login endpoint without rate limiting can be brute-forced thousands of times per second until a valid password is found.

CWE-307A07:2021

No Email Verification

medium

Allowing unverified email accounts lets attackers register with someone else's email address, potentially locking them out or impersonating them.

CWE-358A07:2021

Password Reset Token Without Expiry

medium

Password reset links that never expire stay valid indefinitely — an old email in a breach gives attackers a permanent account takeover path.

CWE-640A07:2021