Providers of managed security services have been warning their clients about the insufficient protection traditional password-based authentication delivers in today’s cybersecurity landscape.
Now, the Cybersecurity and Infrastructure Security Agency (CISA) has officially recognized that relying on passwords alone to prevent unauthorized access is an exceptionally risky practice that greatly increases the likelihood of a data breach occurring.
Download
DoD Contractor’s Guide to CMMC 2.0 Compliance
CISA Describes Single-Factor Authentication as Exceptionally Risky
On August 30, 2021, CISA added single-factor authentication (a common low-security method of authentication that only a single password to be matched to a username to gain access to protected resources) to its catalog of bad cybersecurity practices.
“CISA added the use of single-factor authentication for remote or administrative access systems to our Bad Practices list of exceptionally risky cybersecurity practices,” stated the agency in the official announcement. “Although these Bad Practices should be avoided by all organizations, they are especially dangerous in organizations that support Critical Infrastructure or National Critical Functions.”
Besides single-factor authentication, the Bad Practices list includes:
- Use of unsupported (or end-of-life) software.
- Use of known/fixed/default passwords and credentials.
As you can see, the list is a rather exclusive place to be, and CISA wouldn’t include single-factor authentication if there wasn’t a good reason to do so.
Indeed, the Verizon 2021 Data Breach Investigations Report revealed that credentials are the primary means by which bad actors gain unauthorized access into organizations, with 61 percent of breaches attributed to leveraged credentials. What’s also alarming is that 95 percent of organizations suffering credential stuffing attacks had between 637 and 3.3 billion malicious login attempts through the year.
It’s not that strong passwords can be cracked with ease—they can’t. The problem is that users are notoriously bad at storing passwords in a secure manner and recognizing social engineering attacks whose goal is to trick them into disclosing them.
“As the number of companies switching business-critical functions to the cloud increases, the potential threat to their operations may become more pronounced, as malicious actors look to exploit human vulnerabilities and leverage an increased dependency on digital infrastructures,” explains Verizon.
Organizations Should Shift to Multi-Factor Authentication
CISA encourages all organizations to review the Bad Practices webpage and to engage in the necessary actions and critical conversations to address the practices it describes.
In the CISA Capacity Enhancement Guide: Implementing Strong Authentication, the agency recommends multi-factor authentication (MFA) as a strong authentication method that addresses the shortcomings of single-factor authentication, namely the human factor.
“[MFA] requires two or more factors to gain access to the system. Each factor must come from a different category above (e.g., something you know and something you have). MFA may be referred to as two-factor authentication, or 2FA, when two factors are used,” explains CISA.
According to Microsoft, MFA can block over 99.9 percent of account compromise attacks. A study conducted by Google, New York University, and University of California San Diego agrees with Microsoft, concluding that MFA can block 100 percent of automated bots, 99 percent of bulk phishing attacks, and 66 percent of targeted attacks on Google accounts.
Clearly, it’s in the best interest of all organizations to shift to MFA as soon as possible. The good news is that MFA has become widely supported by software vendors and service providers, so implementing it is not difficult at all.
Not All MFA Implementations Are Created Equal
While any implementation of multi-factor authentication is better than relying solely on single-factor authentication, some implementations are more secure than others.
Cybersecurity experts agree that text messages should be the last option when it comes to choosing between possible additional authentication factors, which are typically grouped into the following three categories:
Using mobile phishing and SIM swapping techniques, cybercriminals can steal SMS authentication codes to gain full control over their victims’ sensitive accounts. Last year, the Europol Internet Organised Crime Threat Assessment report identified these techniques as the new key trend, and their impact is guaranteed to only increase as more and more organizations embrace the hybrid work model.
Instead of text messages, it’s much better to use mobile authenticator apps or hardware tokens, with the former offering the best balance of security and usability.
We Can Help Setup Multi-Factor Authentication
We at OSIbeyond can help you implement a robust multi-factor authentication scheme that reflects the latest CISA recommendations. Schedule a meeting with us to get started.