AuditRubric
pr-aa-2 critical Protect / Identity Management, Authentication, and Access Control

Identities are proofed and bound to credentials based on the context of interactions

A username and password alone is not sufficient authentication for business systems. Multi-factor authentication (MFA) ensures that a compromised password does not equal a compromised account. This is one of the highest-impact controls you can implement: the majority of account takeover attacks are stopped by MFA.

Estimated effort: 3h
mfaauthenticationpasswordsaccess-controlphishing
Complete first: pr-aa-1

Implementation steps

  1. 1

    Enable MFA on your identity provider

    Turn on MFA enforcement at the IdP level so it applies to every application in your SSO umbrella at once. Prefer phishing-resistant methods (hardware keys, passkeys) over SMS.

    oktagoogle-workspacemicrosoft-entraduo
  2. 2

    Enforce MFA on all critical systems outside SSO

    Any system that is not covered by your IdP (cloud provider root accounts, domain registrar, DNS provider, code repositories) must have MFA enabled directly. Root/admin accounts are highest priority.

    aws-iamgithubcloudflare
  3. 3

    Distribute a password manager company-wide

    MFA is undermined by weak or reused passwords. Provide every employee a password manager account. Require its use for all work credentials.

    1passwordbitwardendashlane
  4. 4

    Document your MFA policy

    Write a one-page authentication policy stating that MFA is required for all work systems, which methods are approved, and what employees should do if they lose their second factor.

Evidence required

MFA enforcement configuration

Screenshot showing MFA is enforced for all users in your IdP, with no exceptions.

  • · Okta security policy showing MFA required
  • · Google Workspace 2-step verification enforcement report
  • · Entra ID conditional access policy requiring MFA

MFA on privileged external accounts

Screenshots confirming MFA is enabled on cloud provider root/admin accounts and other critical systems outside SSO.

  • · AWS account security credentials page showing MFA enabled
  • · GitHub organization SAML or 2FA requirement screenshot
  • · Cloudflare account security settings

Authentication policy document

Written policy stating MFA requirements, approved methods, and recovery procedures.

  • · Confluence or Notion policy page
  • · PDF in your document management system

Related controls

pr-aa-3 critical

Users, services, and hardware are authenticated

Identity Management, Authentication, and Access Control
pr-aa-1 critical

Identities and credentials are managed for authorized users and devices

Identity Management, Authentication, and Access Control
pr-aa-4 high

Identity assertions are protected, conveyed, and verified

Identity Management, Authentication, and Access Control
pr-aa-5 critical

Access permissions are defined in policy, enforced, and reviewed using least privilege and separation of duties

Identity Management, Authentication, and Access Control