Request MFA for critical systems
Summary
All critical systems must have multifactor authentication (MFA) implemented to add an extra layer of security beyond passwords.
Description
Multifactor authentication (MFA) requires providing two or more different pieces of evidence to verify the identity before gaining access to a system or account. It combines something the user knows (e.g., password), something they have (e.g., mobile authenticator apps), and something they are (e.g., face features). Without MFA, systems are more vulnerable to cyberattacks, including phishing, credential theft, and unauthorized access to sensitive data.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Essential | 🟢 |
| Advanced | 🟢 |
References
- OWASP-M TOP 10-M4. Insecure authentication
- MITRE ATT&CK®-M1025. Privileged process integrity
- MITRE ATT&CK®-M1032. Multi-factor authentication
- CMMC-IA_L2-3_5_3. Multifactor authentication
- CMMC-MA_L2-3_7_5. Nonlocal maintenance
- WASSEC-2_1. Authentication schemes
- NIST SSDF-PO_5_1. Implement and maintain secure environments for software development
- OWASP ASVS-1_2_4. Authentication architecture
- OWASP ASVS-2_2_4. General authenticator security
- PCI DSS-8_4_1. Multi-factor authentication (MFA) is implemented to secure access
- PCI DSS-8_4_2. Multi-factor authentication (MFA) is implemented to secure access
- PCI DSS-8_4_3. Multi-factor authentication (MFA) is implemented to secure access
- SIG Core-H_2_14. Access control
- SIG Core-H_4_2. Access control
- SIG Core-N_1_15_5. Network security
- SIG Core-U_1_6_2. Server security
- SIG Core-U_1_9_27. Server security
- OWASP ASVS-4_3_1. Other access control considerations
- SANS 25-20. Missing authentication for critical function
- CASA-2_2_4. General Authenticator Security
- CASA-4_3_1. Other Access Control Considerations
- Resolution SB 2021 2126-Art_28_5. Security in Electronic Channels - ATMs
- Resolution SB 2021 2126-Art_30_8. Security in Electronic Channels - Digital Banking
- CWE TOP 25-306. Missing authentication for critical function
Vulnerabilities
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.