328 – Request MFA for critical systems

Summary

All critical systems must have multifactor authentication (MFA) implemented to add an extra layer of security beyond passwords.

Description

Multifactor authentication (MFA) requires providing two or more different pieces of evidence to verify the identity before gaining access to a system or account. It combines something the user knows (e.g., password), something they have (e.g., mobile authenticator apps), and something they are (e.g., face features). Without MFA, systems are more vulnerable to cyberattacks, including phishing, credential theft, and unauthorized access to sensitive data.

Supported In

Essential: True

Advanced: True

References

• OWASPM10-M4. Insecure authentication
• MITRE-M1025. Privileged process integrity
• MITRE-M1032. Multi-factor authentication
• CMMC-IA_L2-3_5_3. Multifactor authentication
• CMMC-MA_L2-3_7_5. Nonlocal maintenance
• WASSEC-2_1. Authentication schemes
• NISTSSDF-PO_5_1. Implement and maintain secure environments for software development
• ASVS-1_2_4. Authentication architecture
• ASVS-2_2_4. General authenticator security
• PCI-8_4_1. Multi-factor authentication (MFA) is implemented to secure access
• PCI-8_4_2. Multi-factor authentication (MFA) is implemented to secure access
• PCI-8_4_3. Multi-factor authentication (MFA) is implemented to secure access
• SIG-H_2_14. Access control
• SIG-H_4_2. Access control
• SIG-N_1_15_5. Network security
• SIG-U_1_6_2. Server security
• SIG-U_1_9_27. Server security
• ASVS-4_3_1. Other access control considerations
• SANS25-20. Missing authentication for critical function
• CASA-2_2_4. General Authenticator Security
• CASA-4_3_1. Other Access Control Considerations
• RESOLSB-Art_28_5. Security in Electronic Channels - ATMs
• RESOLSB-Art_30_8. Security in Electronic Channels - Digital Banking
• CWE25-306. Missing authentication for critical function

Weaknesses

• 081 – Lack of multi-factor authentication

Last updated

2025/06/13