The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the use of single-factor authentication for remote or administrative access systems to its Bad Practices list of hazardous cybersecurity practices. Single-factor authentication uses only one way of verifying their identity, typically a combination of username and password.
Easy way to access system
Compared to multi-factor authentication (MFA), single-factor authentication provides attackers an easy way to access the system. Multi-factor authentication (MFA) is defined as a robust authentication method as it requires two or more factors to gain access to the system.
Hazardous cybersecurity practices could expose critical infrastructure and government and private sector entities to devastating cyberattacks. As weak, reused, and common passwords pose a grave threat, CISA encourages all organizations to review the Bad Practices web page and engage in the necessary actions and critical conversations to address Bad Practices.
The list of bad practices now includes:
- Use of unsupported (or end-of-life) software
- Use of known/fixed/default passwords and credentials, and
- Use of single-factor authentication for remote or administrative access to systems
CISA also published a guide to set up strong authentication. Strategic planning, single sign-on, and identity federation are essential for organizations that aim to avoid vulnerabilities.