IAM-008 Multi-Factor Authentication
Description
Multi-factor authentication (MFA) is required for access to all externally-facing systems, administrative interfaces, and systems holding sensitive or regulated data. MFA must combine at least two distinct authentication factors (knowledge, possession, or inherence). MFA is enforced at the system level, not left to user discretion.
Rationale
Passwords alone are insufficient against phishing, credential stuffing, and brute force. MFA is the single highest-impact control for preventing unauthorised account access.
Framework Mappings (4)
| IAM-13 | Strong Authentication | full |
| 8.5 | Secure authentication | partial |
| IA-2 | Identification and Authentication (Organizational Users) | partial |
| CC6.1 | Logical Access Security Software, Infrastructure, and Architectures | informative |
Evidence (2)
IdP or SSO provider settings showing MFA is enforced for all user accounts on externally-facing systems and administrative interfaces, with no active policy exclusions.
Example: Okta admin console export or Azure AD Conditional Access policy export showing an MFA enforcement policy applied to All Users with no user or group exclusions, set to Enabled/Enforced (not Audit or Disabled).
Test: Query the IdP API for MFA policy configuration (e.g. Okta GET /api/v1/policies?type=MFA_ENROLL, Azure AD Conditional Access policies). Verify: (1) at least one policy requires MFA for all users accessing in-scope systems, (2) the policy is in Enforced mode — not Audit-only, (3) no exclusion groups contain active user accounts, (4) legacy authentication protocols that bypass MFA (e.g. SMTP auth, Basic Auth) are blocked.
Authentication event logs confirming that MFA challenges are consistently triggered and completed for user logins to in-scope systems.
Example: Okta System Log or Azure AD Sign-in Log export for the past 7 days showing authentication events with MFA step result (success/failure/bypass). Sample must include admin console logins and application logins.
Test: Query the IdP sign-in log for the past 7 days. Verify: (1) every successful login to in-scope systems includes a completed MFA event, (2) the count of logins with MFA_SKIPPED or MFA_BYPASS is zero, or each such entry has a matching documented exception, (3) no successful logins used password-only authentication to in-scope systems.
Questions (2)
Is MFA enforced for all user access to externally-facing systems, administrative interfaces, and systems holding sensitive or regulated data?
MFA must be enforced at the system or IdP level, not left to user discretion. Enforcement means no in-scope access path can be completed with a password alone.
Which MFA methods are supported and in use for accessing in-scope systems?
Hardware keys and authenticator apps are phishing-resistant and preferred. SMS and email OTP are weaker but acceptable as supplementary factors. SMS-only is not considered strong MFA for high-risk access paths.