The Cybersecurity and Infrastructure Security Agency (CISA) has added single-factor authentication (SFA) to its list of bad cybersecurity practices that it advises against.
According to Bleeping Computer, CISA’s bad practice catalogue includes practices the agency has deemed very risky and not to be used by organisations in the government and the private sector due to its ability to expose them to unnecessary risk to threat actors.
The use of SFA can also be especially dangerous on internet-exposed systems that threat actors could target and compromise from a remote location. SFA only requires users to provide a username and a password and is low security.
Attackers who target SFA are able to rapidly secure access to systems protected by the method with passwords easily stolen or guessed through techniques such as network sniffing, social engineering, malware, credential dumping and phishing.
CISA said, “The use of single-factor authentication for remote or administrative access to systems supporting the operation of Critical Infrastructure and National Critical Functions is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety.”
Organisations who switch to multi-factor authentication may find that it is a lot harder for threat actors to achieve a successful attack.
Copyright © 2021 FinTech Global
