Use of single‑factor authentication comes with cybersecurity risks

In Opinions

Amer Owaida, Security Writer at ESET explains that Cybersecurity and Infrastructure Security Agency (CISA), the federal agency in the USA urges organizations to ditch the bad practice and instead use multi-factor authentication methods

The CISA has added the use of single-factor authentication to its brief list of bad practices that it considers to be exceptionally risky when it comes to cybersecurity.

“Single-factor authentication is a common low-security method of authentication. It only requires matching one factor—such as a password—to a username to gain access to a system. Although these Bad Practices should be avoided by all organizations, they are especially dangerous in organizations that support Critical Infrastructure or National Critical Functions,” reads CISA’s announcement.

The federal agency went on to add that instead, organizations should refer to its guidance on setting up stronger and better authentication methods. CISA’s Capacity Enhancement Guide focusing on implementing strong authentication highlights the risks of using traditional single authentication methods such as the use of a username combined with a password.

Attackers could pilfer user access credentials through a variety of tried and tested tactics ranging from phishing and social engineering attacks to using brute-force attacks and keylogging malware. Once they get ahold of the usernames and passwords then breaching a system isn’t that difficult. CISA, therefore, recommends that switching to multi-factor authentication (MFA), which is a far safer option since it adds an extra layer of security and makes it excessively difficult for cybercriminals to breach user accounts.

According to a joint study conducted by Google, New York University, and University of California San Diego, organizations that adopted MFA could see a substantial boost to their resistance against malicious attacks. The study cited by CISA found that the use of MFA “blocked 100% of automated bots, 99% of bulk phishing attacks and 66% of targeted attacks on users’ Google accounts.”

Beyond the use of single-factor authentication, CISA’s catalog of Bad Practices also includes:

  • The use of unsupported or end-of-life software
  • The use of known/fixed/default passwords and credentials

“While these practices are dangerous for Critical Infrastructure and NCFs, CISA encourages all organizations to engage in the necessary actions and critical conversations to address Bad Practices,” CISA  said.

The federal agency also opened up discussion about Bad Practices on its GitHub so that system admins and IT professionals could pitch in with their suggestions and input on how to tackle the challenges of eliminating these practices.


You may also read!

Attivo Networks to introduce Identity Detection and Response (IDR) at GITEX

Ray Kafity, Vice President – Middle East Turkey and Africa (META) at Attivo Networks, explains to Security MEA that


Safe Security appoints Cherif Sleiman as Chief Revenue Officer to Head EMEA

Safe Security, a pioneer in Cybersecurity & Digital Business Risk Quantification announced its entry into the Europe, Middle East


SealPath’s data-centric approach empowers organisations to meet cybersecurity compliance in Saudi Arabia

SealPath, a leading provider of information protection and control solutions, has recently highlighted how its revolutionary data-centric security approach


Join Our Newsletter!

Love SecurityMEA? We love to tell you about our new stuff. Subscribe to newsletter!

Mobile Sliding Menu