A.8.5 — Is authentication strong: MFA enforced, phishing-resistant where critical, no shared accounts?
Demonstrate that the organization enforces MFA organization-wide, deploys phishing-resistant authentication for critical and privileged access, and has eliminated or strictly controls shared accounts with documented justification and compensating measures.
Description
What this control does
This control requires multi-factor authentication (MFA) for all user accounts, with phishing-resistant methods (e.g., FIDO2, hardware tokens, certificate-based authentication) mandated for critical systems and privileged accounts. Shared accounts must be eliminated or reduced to exceptional circumstances with compensating controls. Strong authentication protects against credential theft, phishing, and unauthorized access by ensuring that knowledge of a password alone is insufficient to compromise an account.
Control objective
What auditing this proves
Demonstrate that the organization enforces MFA organization-wide, deploys phishing-resistant authentication for critical and privileged access, and has eliminated or strictly controls shared accounts with documented justification and compensating measures.
Associated risks
Risks this control addresses
- Credential theft via phishing campaigns bypassing single-factor authentication
- Account takeover through password spraying or brute-force attacks on accounts lacking MFA
- Session hijacking and replay attacks exploiting SMS or push-notification MFA vulnerabilities on high-value targets
- Privilege escalation by attackers compromising shared administrative credentials without individual accountability
- Insider threats exploiting shared accounts to perform malicious actions while evading attribution
- Regulatory non-compliance with standards requiring strong authentication for systems handling sensitive data
- Lateral movement following initial compromise due to weak authentication on internal systems
Testing procedure
How an auditor verifies this control
- Obtain and review the authentication policy and standards documenting MFA requirements, phishing-resistant methods for critical systems, and shared account restrictions.
- Export identity and access management (IAM) system configuration showing MFA enforcement settings, authentication methods permitted, and policy assignments by user group.
- Select a stratified sample of 20-30 user accounts spanning standard users, privileged administrators, service accounts, and any documented shared accounts.
- For each sampled account, verify MFA enrollment status, review authentication logs showing the factor types used during recent logins, and confirm no successful single-factor authentications occurred.
- Identify all systems classified as critical (financial systems, production environments, customer data repositories) and verify that access requires phishing-resistant MFA methods such as FIDO2 or PIV cards.
- Query the IAM system and directory services for accounts flagged as shared or generic, validate each against documented business justification, and confirm compensating controls such as privileged access management or session recording are active.
- Attempt or simulate authentication to a critical system using non-phishing-resistant MFA (e.g., SMS OTP) to verify technical enforcement blocks the login.
- Review MFA bypass or exception records from the past 12 months, verify each has formal approval, time-limited duration, and documented compensating controls during the exception period.