NCSC: logging in with password is the most insecure form of authentication

Logging in with a username and password is the most insecure form of authentication. Organizations that want to better protect their accounts are therefore advised to choose stronger authentication methods, such as two-factor authentication (2FA) and the FIDO2 standard from the FIDO Alliance. This is stated by the National Cyber ​​Security Center (NCSC) in a new fact sheet called “Authenticating adults”.

According to the NCSC, accounts with elevated privileges within a system, such as administrator accounts, are increasingly the target of attacks. “Given this development, it is extra important to protect accounts in an appropriate way. The Cyber ​​Security Assessment Netherlands 2021 endorses the importance of good authentication and shows that the threat level for weak authentication is high,” the government service warns. He therefore recommends stronger authentication methods such as 2FA.

Not all forms of 2FA are created equal. For example, the fact sheet states that two-factor authentication using an SMS or e-mail is the least secure form of 2FA. An attacker could intercept the login codes sent by e-mail or SMS. Using biometrics as a second layer of security is less susceptible to such an attack, but is subject to privacy laws and regulations such as the General Data Protection Regulation (GDPR), the NCSC said.

The government also advises to distinguish between different accounts on the basis of the associated risk. High-impact accounts, such as those of administrators, require different security than, for example, guest accounts. Organizations can divide their accounts into low, medium and high impact accounts based on a risk assessment. The accounts can then be secured in an appropriate manner using the maturity model for authentication.

Finally, the factsheet recommends setting a maximum number of allowed login attempts per unit of time for all clients. In addition, employees should be able to view their login history, so that they can spot and report suspicious activity more quickly.