Single Factor Authentication Labeled a Dangerous Practice

The U.S. Cybersecurity and Infrastructure Security Agency recently updated its list of bad cybersecurity practices. Specifically, CISA added single-factor authentication for remote and administrative access systems as a highly vulnerable practice.

While CISA recommends all organizations avoid several bad practices, they labeled single-factor authentication “dangerous” for those involved with Critical Infrastructure or National Critical Functions (NCFs).

About the CISA List

Beyond the typical cybersecurity risks, a malicious third-party gaining access to a Critical Infrastructure or National Critical Functions organization poses a hazard to national security, the economy and public safety. Aside from single-factor authentication, the following practices make these types of organizations particularly vulnerable:

  • Using unsupported or end-of-life software, especially if the technology connects to or requires the internet to operate.
  • Having fixed, easily recognized or default passwords and credentials, especially for software and tools connecting to the internet.

Types of Authentication

For passwords and credentials, three types of authentication may be used:

  • Single-Factor Authentication: The most straightforward and commonly used, single-factor authentication requires the user to enter or verify one credential after typing in their username. Especially with reused or easily identifiable passwords, this method presents the greatest degree of vulnerability for all organizations.
  • Two-Factor Authentication: More organizations are starting to use this form of authentication for the increased security it provides. The username and password entered needs to be verified through their mobile device.
  • Multi-Factor Authentication: Multi-factor authentication involves a minimum of three steps, often with questions to answer about yourself added to the process of entering a username and password, then verifying your identify with a mobile device.

Why Single-Factor Authentication Is Less Secure

Websites, software programs and apps have used single-factor authentication for years due to the baseline degree of security it provides. Yet, in an environment with a rapidly growing number of threats, single-factor authentication no longer provides the security it once did:

  • Multiple tactics have been used to harvest username and password combinations. As users tend to re-use passwords across multiple platforms, breach risk increases.
  • Data from CISA shows that single-factor authentication is more vulnerable to phishing, social engineering, keylogging, malware, network sniffing, brute force and credential-dumping attacks.
  • Storage methods and team sharing make such passwords easy to access beyond your network and organization.
  • Frequently used passwords and being able to guess a password combination increase the likelihood of a breach.

By contrast, two-factor and multi-factor authentication methods require a user to verify their identity or enter less-identifiable information for better security. A study conducted by New York University and the University of California San Diego with Google found that multi-factor authentication has potential to block 100 percent of automated attacks and 99 percent of bulk phishing attacks.

In relation to phasing out single-factor authentication, CISA has remarked that organizations should take a comprehensive approach, using more secure methods across all systems, applications and resources that connect to the organization’s network.

In addition to routinely updating your organization’s cybersecurity practices, make sure you have adequate data breach insurance, should a third-party manage to access your network. To discuss coverage, contact a HUB/Ion Insurance agent today.