Assign MFA mechanisms to a single account
Summary
The system must associate each secondary authentication mechanism with a single account.
Description
Single-factor authentication mechanisms often offer poor security due to the weak, common or easy-to-guess passwords that users tend to set. Secondary authentication mechanisms, such as physical or logical security tokens, smart cards and certificates, help guarantee the identity of actors trying to authenticate. However, their value highly decreases when they are shared by multiple accounts.
References
- CWE-287. Improper authentication
- CWE-1390. Weak Authentication
- OWASP10-A7. Identification and authentication failures
- NYDFS-500_12. Multi-factor authentication
- MITRE-M1032. Multi-factor authentication
- PADSS-3_1_5. Payment application does not require or use any group, shared, or generic accounts and passwords
- PADSS-8_3. Operation of two-factor authentication technologies for secure remote access
- SANS25-13. Improper authentication
- CMMC-IA_L2-3_5_3. Multifactor authentication
- CMMC-MA_L2-3_7_5. Nonlocal maintenance
- CMMC-MP_L2-3_8_1. Media protection
- CMMC-PE_L1-3_10_1. Limit physical access
- CMMC-PE_L1-3_10_5. Manage physical access
- FEDRAMP-IA-2_11. Identification and authentication - Remote access, separate device
- FEDRAMP-PE-3. Physical access control
- IEC62443-CR-1_1-RE_2. Multifactor authentication for all interfaces
- OWASPRISKS-P2. Operator-sided data leakage
- NIST800171-5_3. Use multifactor authentication for local and network access to privileged accounts
- CWE25-287. Improper authentication
- SWIFTCSC-4_2. Multi-factor authentication
- SWIFTCSC-5_2. Token management
- ASVS-14_2_4. Dependency
- C2M2-4_1_h. Establish identities and manage authentication
- C2M2-4_1_i. Establish identities and manage authentication
- PCI-8_3_11. An authentication factor cannot be used by anyone other than the user assigned
- SIGLITE-SL_75. Is two factor authentication required to access the production environment containing scoped data?
- SIGLITE-SL_76. Are staff able to access client scoped data?
- CASA-2_10_1. Service Authentication
- RESOLSB-Art_30_8. Security in Electronic Channels - Digital Banking
- OWASPMASVS-AUTH-3. The app secures sensitive operations with additional authentication
- NIST-PR_AA-03. Users, services, and hardware are authenticated
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan.If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.
Supported In
This requirement is verified in following services
Essential Plan
Advanced Plan