MFA01 MFA Not Enforced
What this means
SiteShadow flagged flows where MFA is missing, optional, or can be bypassed for accounts/actions that should require it (admin actions, billing, API key management).
Why it matters
- Account takeover becomes easier (especially with password reuse and phishing).
- Admin compromise is catastrophic: role changes, data exports, API key minting.
- MFA is often the difference between a failed attack and a breach.
Safer examples
1) Require MFA for admins and high-risk actions
Examples: billing changes, payouts, role changes, API key creation, SSO changes.
2) Use step-up authentication
Even if a user is logged in, require MFA re-check for sensitive operations.
3) Make recovery safe
Use recovery codes, secure device enrollment, and strong support verification to avoid MFA bypass via support.
How SiteShadow detects it (high level)
- Looks for sensitive/admin flows without an MFA requirement check nearby.
- Flags configuration patterns that explicitly disable MFA or mark it optional.
References
- OWASP Top 10: https://owasp.org/Top10/
---
← Back to Vulnerability Library
Catch this with SiteShadow Pro.
This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.