Non-public, Internet-facing assets can be accessed using single-factor authentication

Non-public, Internet-facing assets can be accessed using single-factor authentication

Context and Guidance: Providing remote access to any type of asset over the Internet is risky, and should not be taken lightly. A common method of reducing this risk is to use multi-factor authentication.

Multi-factor authentication often involves the use of passphrases in addition to one or more of the following multi-factor authentication methods every time a user logs into an asset:

• Universal 2nd Factor (U2F) security keys;
• physical one-time PIN (OTP) tokens;
• biometrics;
• smartcards;
• mobile apps;
• Short Message Service (SMS) messages, emails or voice calls, or;
• software certificates.

If an authentication method at any time offers a user the ability to reduce the number of authentication factors to a single factor it is by definition no longer a multi-factor authentication method. A common example of this is when a user is offered the ability to ‘remember this computer’ for a public web resource.

The Australian Cybersecurity Centre (ACSC) recommends the use of multi-factor authentication as one of their Essential Eight strategies to Mitigate Cybersecurity Incidents - advising that it is one of the most effective controls that an organisation can implement to prevent an adversary from gaining access to an asset. Source: ACSC Implementing Multi-Factor Authentication