Original release date: August 30, 2021
Today, CISA added the use of single-factor authentication for remote or administrative access systems to our Bad Practices list of exceptionally risky cybersecurity practices. Single-factor authentication is a common low-security method of authentication. It only requires matching one factor—such as a password—to a username to gain access to a system.
Although these Bad Practices should be avoided by all organizations, they are especially dangerous in organizations that support Critical Infrastructure or National Critical Functions.
CISA encourages all organizations to review the Bad Practices webpage and to engage in the necessary actions and critical conversations to address Bad Practices. For guidance on setting up strong authentication, see the CISA Capacity Enhancement Guide: Implementing Strong Authentication.