Skip to main content

Back to Blog

CISA Adds Single-Factor Authentication to List of Bad Practices

One Layer Isn’t Enough

The Cybersecurity and Infrastructure Security Agency (CISA) in the United States recently announced adding single-factor authentication to their list of Bad Practices

CISA’s Bad Practices list contains a collection of exceptionally risky cybersecurity practices. Although intended for all industries, the practices listed are considered especially dangerous in organizations that support critical infrastructure or National Critical Functions (NCF). 

Why has CISA introduced this change?

Single-factor authentication leaves systems more vulnerable to various cyberattacks, including brute force, credential stuffing, phishing, ransomware, and malware. These types of cyber risks are among the most common in use today.  

Single-factor authentication is practically an invitation to threat actors, due to its status as a low-security method of authentication. CISA reports that single-factor authentication is a dangerous practice – particularly for remote or administrative system access.

So, what does “single-factor authentication” really mean?

Single-factor refers to relying on only one of the three authentication types:

  • “Something you know” (e.g., password)
  • “Something you have” (e.g., smartphone)
  • “Something you are” (e.g., fingerprint)

Eliminating “single-factor authentication” does not mean just replacing or ignoring the password authentication layer. Doing so would just be swapping categories, not layering them. 

As CISA indicates, multi-factor authentication (MFA) requires two or more factors of different types. CISA advises that “to receive the full benefit of an MFA capability, organizations should be sure to implement it across all systems, applications, and resources.” 

How can you secure the password layer?

Even if your organization uses authenticator apps or devices for your MFA authentication, ensuring that the most ubiquitous layer—the password layer—is secure is a critical step. 

CISA recommends following the NIST password guidelines, which include screening for compromised passwords. Why? The short answer is weak and reused passwords. 

Despite fulfilling old-school password complexity requirements, many passwords are not safe. For example, common passwords (like ‘Loveyou1’ or ‘Admin2020’) can be too easily guessed. 

Threat actors know the simple patterns most people use to create passwords. They know users will typically make minor modifications to their previous passwords. Passwords are often created using familiar dictionary words using predictable character substitutions and appending numbers and symbols. Users may make tiny variations to their many different personal and work accounts so they can remember them.

The problem is compounded because users continue to reuse these weak passwords. As a result, when threat actors obtain lists of already-breached data from the web and the dark web, they have several techniques—including password spraying and credential stuffing—for abusing the fact that at least 65% of people reuse passwords. 

When passwords are compromised and reused, the chain reaction of data breaches and theft continues. But if organizations employed credential screening practices, they would know to block users from creating or reusing an already-compromised password. 

With credential screening services, such as Enzoic, organizations can keep unsafe passwords out of their environment. For example, a modern password policy can prevent the selection of an unsafe password. When a previously safe password is discovered as compromised, alerting and resetting the password can be automated. 

CISA Already Recommended Keeping Passwords Safe   

CISA’s Bad Practices list already explicitly referred to the dangers of using known and default passwords and credentials. 

The use of compromised credentials is especially egregious for systems accessed from the Internet because of the frequency of password reuse and the attack methods that hackers use to compromise systems, such as dictionary attacks and credential stuffing


The addition of single-factor authentication to the Bad Practices list confirms that every industry needs to take actions that prevent the use of compromised credentials and maintain good cybersecurity practices.

CISA encourages all organizations to review their Bad Practices web page and “engage in the necessary actions and critical conversations” to address these issues. Then, once organizations are ready to fix these bad habits, Enzoic can help.