CISA: Don’t use single-factor authentication on Internet-exposed systems

On Sep 8th, 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) announced that it has added single-factor authentication (SFA) to a rather short list of cybersecurity bad practices it recommends against.

The CISA’s “Bad Practices” list includes procedures that the federal government has deemed “extremely dangerous” and that should not be used by organizations in the public and private sectors, since they expose them to an unnecessary risk of their systems being hacked by threat actors.

Since the list was released in September 2017, it has been updated twice to include new practices that should be avoided at all costs.

In its latest update, CISA additionally added SFA to a list that includes bad practices such as using only one factor for authentication when authenticating into cloud or web applications; reusing passwords across multiple accounts (e.g. using the same password for a corporate and a personal email account); or exposing public folders to everyone with access to an organization’s IT resources.

The agency also clarified that SFA is not considered a bad practice when it’s used on non-sensitive systems or for authentication into applications that are located within the network perimeter.

When authenticating over the Internet, however, there are two major downsides to using SFA. First, it can be considered a security risk due to the fact that threat actors could bypass the authentication through social engineering, password spraying attacks, phishing, or malware and gain access to sensitive data stored on web.

Secondly, it can expose organizations to additional risks of account takeover since attackers might use SFA-protected accounts even if the victim has changed their password after being maliciously authenticated into their system by threat actors (e.g., via a successful phishing attack).