cloudThing logo in white
Menu open icon
email: info@cloudthing.com
tel: +44 (0) 121 393 4700
Menu closed icon

General

Generally useful pages

Sectors

We know loads about this stuff

What we do

The Building Blocks for cloudThing Magic

CISA Confirms What Everyone’s Always Known: Single-Factor Authentication Is ‘Bad’

Sun Sep 05 2021

CISA rules SFA as ‘bad practise’ for critical infrastructures

CISA, the US Cybersecurity and Infrastructure Security Agency has been urging all US agencies to stop using single factor authentication for all remote access activities as it’s exposing US infrastructure to  the risk of compromises systems from cyber actors.

 

Due to that CISA made the announcement last week that it was adding all SFA’s to its official catalogue of ‘bad practises’ that it considers to be exceptionally risky… especially for any US organisations that support critical infrastructure or national critical functions (NCFs).

open quote mark

As recent incidents have demonstrated, cyberattacks against critical infrastructure can have significant impacts on the critical functions of government and the private sector. Organisations must consider implementing an effective cyber security programme to protect against cyber threats.

CISA statement

close quote mark

What is SFA?

Single Factor Authentication is an extremely low-security method of authentication that only requires one matching factor (like a password for instance) to a username to gain access to a system.

What Is MFA?

Multi Factor Authentication is a method of authentication that requires multiple factors connected to a username… for instance logging in with a username and inputting a password then responding to a text on a mobile to confirm log-in (there are obviously much more advanced methods that include facial recognition.

MFA can be broken down into…

 

  • Knowledge… something only the user knows
  • Possession… something only the user has access to
  • Inherence… Something the user is.

 

A 2019 joint study by Google, NY University and the University of California and San Diego clearly demonstrated the risk to SFA after they proved just adding a recovery telephone number to a Google account could block 100% of automated bots, 99% of bulk phishing attacks and 66% of targeted attacks.

 

Other outdated cyber security practises that have made it to CISA’s ‘bad practise’ list include the continued use of end of life software and the use of default passwords (think Password1).

Not Quite Ready To Get Back To Work Just Yet?

APPLE CLARIFIES CHILD SAFETY FEATURES AFTER PRIVACY CONCERNS

BUSINESS CENTRAL VS SAGE – WHICH DOES YOUR ORGANISATION NEED?

WHAT CAN BUSINESS CENTRAL ACTUALLY DO?

© cloudThing 2021

Sun Sep 05 2021

email iconinfo@cloudthing.com
© 2020 Copyright cloudThing ltd. All rights reserved. Company registered in England & Wales no. 7510381, VAT no. 152340739