CISA Adds Single-Factor Authentication to Bad Practices List

Published · Sep 01, 2021

The US Cybersecurity and Infrastructure Agency (CISA) has now added single-factor authentication to its list of bad practices. This month, the US has focused on strengthening cybersecurity by improving the infrastructure, education, and awareness around it.

The list, available on the CISA website, aims to alert US citizens and entities to the dangers of poor cybersecurity practices. Any internet user can read and implement this list's suggestions. This despite the fact that CISA wrote with national and critical infrastructure in mind.

Single-factor authentication is when one factor protects a user’s access to their account—most commonly, a simple password. If someone gets hold of that password, they can log in. This is why multi-factor authentication is becoming a common protocol.

Multi-factor authentication comes in many forms. It can involve one-time pins sent to a user’s phone or even hardware like USB security keys. Essentially, it implements multiple factors needed to gain entry, making it harder for threat actors to break in.

The most common method of getting strong login credentials backed by multi-factor authentication is through password managers.

Shifting Landscape

The ubiquity of cloud services has done a lot to speed up technology and its usage, but it does present new challenges. The convenience of accessing cloud solutions—for example, photo storage—from anywhere is also a major vulnerability. It makes it easier for criminals to get hold of it too.

Multi-factor authentication combines the security of physical with the convenience of cloud access. It requires the user to have a physical device on hand, like a phone or USB, which improves protection.

If an individual has an account compromised, the consequences can be devastating. If the account in question is a data backup or business storage solution, the situation worsens—assets can be stolen, sensitive content can be held to ransom, etc.

When hackers compromise a corporation or government entity, the impact is massive. There are also more points of entry to cover, which emphasizes the importance of sound cybersecurity at an institutional level.

The CISA plans to expand the list of bad practices even further. This preliminary information only begins to show parties what they should pay immediate attention to. Because logins are the first point of contact, they can be a major vulnerability in everything from data storage to entire infrastructure hosted on servers.

Garan van Rensburg
Garan van Rensburg

Garan is a writer interested in how tech reshapes the environment, and how the environment reshapes tech. You'll usually find him inoculating against future shock and arguing with bots.