CISA adds single-factor authentication to its catalog of 'Bad Practices'

Earlier this year, in June, the US Cybersecurity and Infrastructure Security Agency (CISA) launched a new project called "Bad Practices" that consisted of a catalog of non-recommended cybersecurity practices, techniques, and configurations.

The initial list only included two entries, but in an update today, CISA officials added a new "bad practice" to their list—namely, the use of single-factor authentication for remote or administrative access systems.

"Single-factor authentication is a common low-security method of authentication," the agency said in a press release today. "It only requires matching one factor—such as a password—to a username to gain access to a system."

Instead, CISA recommended that organizations check its guide for implementing strong authentication [PDF], where multi-factor authentication is the recommended method of securing not only internet-connected accounts but also accounts of any kind.

CISA Bad Practices catalog

Currently, the CISA Bad Practices catalog includes the following entries:

  1. Use of unsupported (or end-of-life) software.
  2. Use of known/fixed/default passwords and credentials.
  3. Use of single-factor authentication for remote or administrative access to systems.

Other bad practices CISA officials are currently considering adding to their catalog include the likes of:

  • Using weak cryptographic functions or key sizes.
  • Flat network topologies.
  • Mingling of IT and OT networks.
  • Everyone's an administrator (lack of least privilege).
  • Utilization of previously compromised systems without sanitization.
  • Transmission of sensitive, unencrypted/unauthenticated traffic over uncontrolled networks.
  • Poor physical controls.

Security experts can also recommend other "bad practices" via this GitHub page.

Catalin Cimpanu

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.

No previous article
No new articles