362 – Assign MFA mechanisms to a single account

Summary

The system must associate each secondary authentication mechanism with a single account.

Description

Single-factor authentication mechanisms often offer poor security due to the weak, common or easy-to-guess passwords that users tend to set. Secondary authentication mechanisms, such as physical or logical security tokens, smart cards and certificates, help guarantee the identity of actors trying to authenticate. However, their value highly decreases when they are shared by multiple accounts.

Supported In

Advanced: True

References

• CWE-287. Improper authentication
• CWE-1390. Weak Authentication
• OWASP10-A7. Identification and authentication failures
• NYDFS-500_12. Multi-factor authentication
• MITRE-M1032. Multi-factor authentication
• PADSS-3_1_5. Payment application does not require or use any group, shared, or generic accounts and passwords
• PADSS-8_3. Operation of two-factor authentication technologies for secure remote access
• SANS25-13. Improper authentication
• CMMC-IA_L2-3_5_3. Multifactor authentication
• CMMC-MA_L2-3_7_5. Nonlocal maintenance
• CMMC-MP_L2-3_8_1. Media protection
• CMMC-PE_L1-3_10_1. Limit physical access
• CMMC-PE_L1-3_10_5. Manage physical access
• FEDRAMP-IA-2_11. Identification and authentication - Remote access, separate device
• FEDRAMP-PE-3. Physical access control
• IEC62443-CR-1_1-RE_2. Multifactor authentication for all interfaces
• OWASPRISKS-P2. Operator-sided data leakage
• NIST800171-5_3. Use multifactor authentication for local and network access to privileged accounts
• CWE25-287. Improper authentication
• SWIFTCSC-4_2. Multi-factor authentication
• SWIFTCSC-5_2. Token management
• ASVS-14_2_4. Dependency
• C2M2-4_1_h. Establish identities and manage authentication
• C2M2-4_1_i. Establish identities and manage authentication
• PCI-8_3_11. An authentication factor cannot be used by anyone other than the user assigned
• SIGLITE-SL_75. Is two factor authentication required to access the production environment containing scoped data?
• SIGLITE-SL_76. Are staff able to access client scoped data?
• CASA-2_10_1. Service Authentication
• RESOLSB-Art_30_8. Security in Electronic Channels - Digital Banking
• OWASPMASVS-AUTH-3. The app secures sensitive operations with additional authentication
• NIST-PR_AA-03. Users, services, and hardware are authenticated

Last updated

2024/03/05