aa-1 Critical priority Account Security / Account Security

Multi-factor authentication is required for all user accounts

Stolen passwords are the leading cause of account compromise. MFA means that even when credentials are stolen, phished, or guessed, an attacker cannot log in without the second factor. CISA considers MFA the single highest-impact control available. It should be enforced at the identity provider level for every account that accesses business systems, not left to individual users to opt into.

3h estimated effort

mfa authentication account-security credentials

Implementation steps

1

Enforce MFA at the identity provider for all users

Enable MFA enforcement in your SSO or identity provider. No user should be able to authenticate without completing a second factor. Disable any bypass policies or legacy authentication protocols that circumvent MFA. Prefer authenticator apps or hardware keys over SMS, which is vulnerable to SIM-swapping.

okta google-workspace azure-ad duo
2

Require MFA for remote access and VPN

Any remote access path into the corporate network or cloud environment must require MFA independently. A VPN with only a password is not sufficient. Configure your VPN or zero-trust access solution to require MFA at connection time.

cisco-duo cloudflare-access tailscale zscaler
3

Audit and enforce MFA coverage

Run a report showing which users have MFA enrolled and which do not. Any user without MFA enrolled should be flagged and required to enroll before their next login. Set up a recurring check to ensure MFA enrollment stays at 100% as new users are added.

okta google-workspace azure-ad drata vanta