Is multi-factor authentication enforced on all admin and remote access (Art 21.2.j)?
Demonstrate that multi-factor authentication is technically enforced and cannot be bypassed for all administrative accounts and remote access mechanisms across the organization's systems and networks.
Description
What this control does
This control requires organizations to enforce multi-factor authentication (MFA) for all administrative accounts and remote access connections to enterprise systems. MFA combines at least two independent authentication factors—something the user knows (password), something the user has (token, mobile device), or something the user is (biometric)—to verify identity before granting privileged or remote access. Under NIS2 Article 21.2.j, this is a mandatory technical measure to protect essential and important entities from credential-based attacks that exploit single-factor authentication vulnerabilities.
Control objective
What auditing this proves
Demonstrate that multi-factor authentication is technically enforced and cannot be bypassed for all administrative accounts and remote access mechanisms across the organization's systems and networks.
Associated risks
Risks this control addresses
- Unauthorized access to administrative functions through compromised credentials obtained via phishing, credential stuffing, or password spraying attacks
- Lateral movement and privilege escalation following successful authentication using stolen or leaked administrator passwords
- Remote access compromise enabling external attackers to access internal networks using valid but stolen VPN or remote desktop credentials
- Insider threats exploiting single-factor authentication to perform unauthorized privileged actions without additional verification
- Brute-force attacks succeeding against weak or default administrator passwords in the absence of additional authentication barriers
- Session hijacking or credential replay attacks bypassing authentication controls when only passwords are required
- Regulatory non-compliance with NIS2 Article 21.2.j resulting in potential supervisory sanctions and reputational damage
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's authentication policy and remote access policy to confirm documented requirements for MFA on administrative and remote access accounts
- Request a complete inventory of systems, applications, and platforms that support administrative access or remote connectivity (VPN, RDP, SSH, cloud consoles, privileged access workstations)
- Select a representative sample of systems across on-premises infrastructure, cloud environments, network devices, security tools, and business applications for testing
- Review authentication configuration settings for each sampled system to verify MFA is enabled and enforced for administrator roles and remote access methods
- Conduct live authentication tests by attempting to log in to sampled administrative accounts and remote access portals to confirm MFA challenge is presented and cannot be bypassed
- Examine authentication logs for a two-week period to verify all administrative and remote access sessions include MFA validation events with no single-factor authentication exceptions
- Interview system administrators and IT operations staff to identify any legitimate bypass mechanisms, break-glass accounts, or service accounts excluded from MFA requirements
- Review exception and compensating control documentation for any identified accounts without MFA, verifying appropriate risk acceptance and alternative safeguards are in place