Level 2
Description:
Multifactor authentication requires the use of two or more different factors to authenticate. The factors are defined as something you know (e.g., password, personal identification number [PIN]); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric). Multifactor authentication solutions that feature physical authenticators include hardware authenticators providing time-based or challenge-response authenticators and smart cards. In addition to authenticating users at the system level (i.e., at logon), organizations may also employ authentication mechanisms at the application level, when necessary, to provide increased information security. Access to organizational systems is defined as local access or network access. Local access is any access to organizational systems by users (or processes acting on behalf of users) where such access is obtained by direct connections without the use of networks. Network access is access to systems by users (or processes acting on behalf of users) where such access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. The use of encrypted virtual private networks for connections between organization-controlled and non-organization controlled endpoints may be treated as internal networks with regard to protecting the confidentiality of information. [SP 800-63-3] provides guidance on digital identities.
[24] Multifactor authentication requires two or more different factors to achieve authentication. The factors include: something you know (e.g., password/PIN); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric). The requirement for multifactor authentication should not be interpreted as requiring federal Personal Identity Verification (PIV) card or Department of Defense Common Access Card (CAC)-like solutions. A variety of multifactor solutions (including those with replay resistance) using tokens and biometrics are commercially available. Such solutions may employ hard tokens (e.g., smartcards, key fobs, or dongles) or soft tokens to store user credentials.
[25] Local access is any access to a system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network. Network access is any access to a system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, Internet).
Priority: High
Domain: IDENTIFICATION AND AUTHENTICATION (IA)
Services Associated with AWS:
- AWS Identity and Access Management (IAM), AWS Multi-Factor Authentication (MFA), AWS Directory Service, AWS Single Sign-On
Services Associated with Azure:
- Azure Multi-Factor Authentication (MFA)
- Azure Active Directory (Azure AD)
- Azure AD Privileged Identity Management (PIM)
- Azure AD Conditional Access
- Azure Identity Protection
- Azure AD B2C
- Azure AD Managed Identities
Objective Evidence:
- Administrative: documented policies, standards & procedures
- Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
- Administrative: supporting documentation to demonstrate how Multi-Factor Authentication (MFA) is implemented
- Technical: screenshot of MFA settings
Possible Technology Considerations:
- Identity & Access Management (IAM)
- Secure Baseline Configurations (SBC)
- Multi-Factor Authentication (MFA)
What needs to be answered:
Does the system uniquely identify and authenticate users? Is multifactor authentication used for local and network access to privileged accounts? Is multifactor authentication used for network access to non-privileged accounts?
Checks for AWS
- Implement Multifactor Authentication for Privileged and Non-Privileged Accounts
Description This check ensures that organizations implement multifactor authentication for both local and network access to privileged accounts and for network access to non-privileged accounts Multifactor authentication requires the use of two or more different factors to authenticate, such as something you know (eg, password, PIN), something you have (eg, cryptographic identification device, token), or something you are (eg, biometric) Organizations can choose from a variety of multifactor authentication solutions, including hardware authenticators, time-based or challenge-response authenticators, smart cards, and biometrics The use of multifactor authentication helps strengthen the security of user authentication by adding an additional layer of verification beyond just a password It is important to note that multifactor authentication does not necessarily require the use of federal Personal Identity Verification (PIV) cards or Department of Defense Common Access Cards (CAC), but rather encompasses various commercially available solutions Local access refers to direct connections without the use of networks, while network access involves communication through network connections Remote access, a type of network access, occurs through external networks Encryption with virtual private networks can be employed to protect the confidentiality of information during network connections
Checks for Azure
- Enforce Multifactor Authentication (MFA) for Privileged Accounts
Description: This check ensures that multifactor authentication (MFA) is enforced for privileged accounts in Azure. Privileged accounts, such as administrator accounts, should require additional factors of authentication beyond just a password to mitigate the risk of unauthorized access. - Enforce Multifactor Authentication (MFA) for Non-Privileged Network Access
Description: This check verifies that organizations enforce multifactor authentication (MFA) for non-privileged network access in Azure. Non-privileged accounts accessing resources through network connections should require MFA to enhance the security of user authentication. - Implement Strong Password Policies for User Accounts
Description: This check emphasizes the importance of implementing strong password policies for user accounts in Azure. Password policies should define requirements such as minimum password length, complexity, and expiration to enforce secure password practices. - Manage User Accounts and Access Permissions
Description: This check ensures that user accounts in Azure are properly managed, including unique identification and authentication of users. User accounts should be uniquely assigned and managed by the company's central management system. Additionally, access permissions should be granted based on the principle of least privilege to limit unauthorized access.
More Details: Multi factor authentication require for all access to systems containing CUI.