CISA Adds Single-Factor Authentication to List of Bad Practices

The U.S. Cybersecurity & Infrastructure Agency deems single-factor authentication “especially egregious in technologies accessible from the Internet.”

The U.S. Cybersecurity & Infrastructure Agency (CISA) has added the use of single-factor authentication for remote or administrative access to its list of “Bad Practices” of exceptionally risky cybersecurity practices.

Single-factor authentication is a common low-security method of authentication that only requires matching one factor, such as a password to a username to gain access to a system.

CISA advises all organizations to avoid single-factor authentication, deeming the practice “especially egregious in technologies accessible from the Internet.”

For organizations that support critical infrastructure, this method is especially dangerous. Recent incidents have proved cyberattacks against critical infrastructure can have significant impacts on national security, economic stability, life, health, and safety of the public — all critical functions of the government and private sector.

The first bad practice on CISA’s list is the use of unsupported (or end of life) software in services of critical infrastructure organizations. An example of this is the 2017 WannaCry incident — a global ransomware attack that spread through computers using Microsoft Windows.

About 300,000 computers around the globe and across almost every economic sector were impacted. User’s files were held hostage and a Bitcoin ransom was demanded for their return.

For some organizations, updates can be timely, difficult, and costly. Patching systems and implementing updates can result in downtime, which some critical infrastructure organizations don’t want to lose.

The second bad practice is the use of known/fixed/default passwords and credentials “[Default passwords are] dangerous and significantly elevates risk to national security, national economic security, and national public health and safety,” says CISA in a blog post.

Easily guessable passwords can be easily cracked. Hackers can use a spraying technique to gain access to as many accounts as possible causing anywhere from minor security incidents to major breaches.

CISA says this is only the beginning of the list of bad practices and intends to release more to develop a complete catalog to educate critical infrastructure owners and operators, as well as the defense industry and the organizations that support the supply chain for national critical functions.

CISA’s addition to the bad practice list can be applied to every organization — not just those organizations who provide critical infrastructure.  Cybersecurity should be a risk management priority at every organization.


Alyssa Borelli is a Web Editor for SSI sister site My Tech Decisions where this article first appeared.

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

Security Is Our Business, Too

For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Commercial Integrator + Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add to your bottom line.

A FREE subscription to the top resource for security and integration industry will prove to be invaluable.

Subscribe Today!

Leave a Reply

Your email address will not be published. Required fields are marked *

Get Our Newsletters