The Cybersecurity and Infrastructure Security Agency (CISA) has added the use of single-factor authentication to its brief list of bad practices that it considers to be exceptionally risky when it comes to cybersecurity.

“Single-factor authentication is a common low-security method of authentication. It only requires matching one factor—such as a password—to a username to gain access to a system. Although these Bad Practices should be avoided by all organizations, they are especially dangerous in organizations that support Critical Infrastructure or National Critical Functions,” reads CISA’s announcement.

The federal agency went on to add that instead, organizations should refer to its guidance on setting up stronger and better authentication methods. CISA’s Capacity Enhancement Guide focusing on implementing strong authentication highlights the risks of using traditional single authentication methods such as the use of a username combined with a password.

Attackers could pilfer user access credentials through a variety of tried and tested tactics ranging from phishing and social engineering attacks to using brute-force attacks and keylogging malware. Once they get ahold of the usernames and passwords then breaching a system isn’t that difficult. CISA, therefore, recommends that switching to multi-factor authentication (MFA), which is a far safer option since it adds an extra layer of security and makes it excessively difficult for cybercriminals to breach user accounts.

According to a joint study conducted by Google, New York University, and University of California San Diego, organizations that adopted MFA could see a substantial boost to their resistance against malicious attacks. The study cited by CISA found that the use of MFA “blocked 100% of automated bots, 99% of bulk phishing attacks and 66% of targeted attacks on users' Google accounts.”

Beyond the use of single-factor authentication, CISA’s catalog of Bad Practices also includes:

  • The use of unsupported or end-of-life software
  • The use of known/fixed/default passwords and credentials

“While these practices are dangerous for Critical Infrastructure and NCFs, CISA encourages all organizations to engage in the necessary actions and critical conversations to address Bad Practices,” CISA  said.

The federal agency also opened up discussion about Bad Practices on its GitHub so that system admins and IT professionals could pitch in with their suggestions and input on how to tackle the challenges of eliminating these practices.