Profile Applicability:
Level 1
Description:
The organization must enforce Multi-Factor Authentication (MFA) for all members accessing its resources, including version control systems, collaboration tools, and administrative console. This policy requires users to authenticate with at least two factors, such as a password and a one-time code, to enhance security and reduce the risk of unauthorized access.
Rationale:
Requiring MFA across the organization strengthens identity verification, significantly lowering the chances of compromised accounts and unauthorized actions. It aligns with industry best practices and compliance mandates to protect sensitive data and critical infrastructure.
Impact:
Pros:
Enhances security by adding an extra layer of authentication.
Reduces risk of account compromise due to stolen credentials.
Supports regulatory compliance and audit readiness.
Cons:
May require user training and support for MFA setup.
Potential minor delays during login due to additional verification.
Default value:
Many platforms do not enforce MFA by default, allowing access with only passwords.
Audit:
Review organization-wide security settings to confirm MFA enforcement. Analyze access logs for failed or bypassed authentication attempts. Verify that all active users have MFA enabled.
Remediation:
Enable MFA requirements in organizational identity providers and platform settings. Communicate the policy to all members with instructions for enrollment. Provide support channels to assist users during the transition.
References:
GitHub Enforce MFA for Organizations: https://docs.github.com/en/github/authenticating-to-github/configuring-two-factor-authentication#enforcing-two-factor-authentication-for-your-organization
Microsoft Azure AD MFA: https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks
CIS Controls v8, Control 6 - Multi-Factor Authentication: https://www.cisecurity.org/controls/multi-factor-authentication/