CISA warns companies against unsafe use of passwords, 2FA, MFA, 1Password
Many years ago I declared war on passwords or at least started an ongoing information campaign against poor password hygiene. This is obviously no surprise to anyone who regularly reads my articles. However, what surprised me I found out that I finally had an ally in the US government, which suddenly took dangerous password practices very seriously.
It has been a long time coming. Still, the Cybersecurity and Infrastructure Security Agency (CISA), which is under the oversight of the Department of Homeland Security, has warned companies that relying solely on passwords can be “exceptionally risky” and advised that it should be “avoided. by all organizations ”.
Single factor authentication takes the government’s nasty step
On August 30, CISA added the use of single-factor authentication to the official list of bad practices. In other words, using such authentication, a username and password, is bad for all businesses, says CISA, but especially for systems that support critical infrastructure operations. The agency warns that this “is dangerous and greatly increases the risks to national security, national economic security and national public health and safety.”
What is even more surprising is that it has taken so far for such a dangerous safety practice to be added to this list, and I hope you are seated; it only joins two other entries. Look, I appreciate that CISA admits that the list of naughty steps “doesn’t include all possible deprecated cybersecurity practices,” but only three entries?
The other two, for your reference, are to not use end-of-life or unsupported software and to avoid known, fixed, or default passwords. All three entries are declared “particularly egregious” if made with technology accessible over the Internet.
Multi-factor authentication for everything
What is good practice, whatever type of organization you are, and applies to individuals as well, is to authenticate all things by several factors.
Multi-Factor Authentication (MFA) is, as the name suggests, the use of a mix of different authentication methodologies from different categories. Previously, there were three generally accepted categories of factors: knowledge (what you know), possession (what you have), and inheritance (what you are). But two more factors can now be added in the form of location (where you are) and behavior (what you are doing).
Take the example of two-factor authentication (2FA), as most people probably understand it better. This is typically enforced using the knowledge factor via username and password, supplemented by a secondary possession factor such as a hardware key, smart card, or one-time code provided by an application. The latter is interesting because it can also offer a third factor for valid multi-factor authentication of a “buy one, get one free” way. If the app that provides the one-time code needed to authenticate the user’s login is on a smartphone, in particular a smartphone that requires facial or fingerprint recognition to access the app itself, then inherence is also present.
What difference can multi-factoring make, you might be wondering? CISA cites Google research that suggests a lot, in fact. This research has shown that by simply adding another factor of authentication, in this case a recovery phone number to a Google Account, a staggering number of attacks can be blocked. According to Google, up to 100% of automated bot attacks have been prevented, 99% of mass phishing attacks and even 66% of “targeted attacks” against account holders.
Are password managers now obsolete?
I contacted someone familiar with the role of passwords and authentication management in security best practices, Adam Caudill. With 20 years of security and research experience, focusing on application security and secure communications, Caudill is currently Director of Security at 1Password. As you might expect, using MFA wherever it is supported should be one of the most accessible and impactful security investments you can make. “It’s low friction for you,” he says, “and makes a striker’s job a lot harder.” Indeed, of all the improvements in end-user security he saw, Caudill told me, “MFA has the best return on a remarkably small investment, both in terms of time and money. “
So does that mean password managers like 1Password are, well, gone? “On the contrary,” Caudill insists, multi-factor authentication “shows the value of comprehensive password managers, as they simplify the use of MFA and synchronization between devices, so it’s easy to log into from any device.
I agree, and it should also be noted that as authentication arguably becomes more complex, password managers have an even greater impact on productivity. “It’s important to understand that a password manager has more than one role in a user’s life,” concludes Caudill, “it not only protects them, but it helps them be more productive and avoid downtime. “
Comprehensive coverage and live updates on the coronavirus