The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added single-factor authentication to the list of “exceptionally risky” cybersecurity practices. CISA noted that single-factor authentication could expose private businesses, critical infrastructure, and government agencies to devastating attacks.
Single-factor authentication is an authentication method that works by asking users to enter a username and a password to authenticate themselves to various websites and systems. It’s considered low-security since it relies on simply matching a username to a password to gain access to a system.
Despite the advantages of single-factor authentication, it can lead to unauthorized access and compromise, CISA says. This issue can be exploited by cybercriminals to carry out attacks.
“The use of single-factor authentication for remote or administrative access to systems supporting the operation of Critical Infrastructure and National Critical Functions (NCF) is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety,” CISA says.
With the latest addition, CISA’s list of bad practices now encompasses:
- Use of unsupported (or end-of-life) software,
- Use of known/fixed/default passwords and credentials, and
- Use of single-factor authentication for remote or administrative access to systems.
“Although these Bad Practices should be avoided by all organizations, they are especially dangerous in organizations that support Critical Infrastructure or National Critical Functions,” CISA noted.
“The presence of these Bad Practices in organizations that support Critical Infrastructure or NCFs is exceptionally dangerous and increases risk to our critical infrastructure, on which we rely for national security, economic stability, and life, health, and safety of the public,” the agency noted.
On the other hand, multi-factor authentication makes it very difficult for attackers to pull off a successful attack. A study conducted by Google, the New York University, and UC San Diego revealed that blocking bots (100%) and phishing attacks with MFA is very effective, while it can prevent roughly 66% of targeted attacks.
Alex Weinert, Director of Identity Security at Microsoft, said that “your password doesn’t matter, but MFA does!” He also said that “your account is more than 99.9% less likely to be compromised if you use MFA.”