Is multi-factor authentication enforced on all email, VPN, admin and remote access accounts?
Demonstrate that multi-factor authentication is technically enforced on all email, VPN, administrative, and remote access accounts, preventing authentication using passwords alone.
Description
What this control does
This control requires multi-factor authentication (MFA) to be enforced on all privileged and remote access pathways, including email systems, virtual private network (VPN) connections, administrative accounts, and remote desktop or terminal services. MFA combines two or more independent credential types—something the user knows (password), possesses (hardware token, mobile device), or is (biometric)—to verify identity before granting access. Enforcing MFA on these high-risk access vectors significantly reduces the likelihood of credential-based attacks such as phishing, brute force, and credential stuffing.
Control objective
What auditing this proves
Demonstrate that multi-factor authentication is technically enforced on all email, VPN, administrative, and remote access accounts, preventing authentication using passwords alone.
Associated risks
Risks this control addresses
- Credential theft via phishing campaigns allows unauthorized access to email systems containing sensitive business communications and attachments
- Stolen or leaked VPN credentials enable external attackers to establish persistent network access and move laterally within the internal environment
- Compromised administrative accounts allow attackers to escalate privileges, disable security controls, create backdoor accounts, and exfiltrate data
- Brute force or credential stuffing attacks successfully authenticate to remote access services using weak or reused passwords
- Session hijacking or man-in-the-middle attacks bypass password-only authentication on remote desktop connections
- Insider threats or former employees leverage cached or unchanged credentials to access systems remotely after termination
- Malware or keyloggers capture passwords that are sufficient for authentication without a second factor requirement
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's identity and access management (IAM) policy and MFA policy documentation to identify stated MFA enforcement requirements.
- Generate an inventory of all systems and services providing email access (web clients, IMAP/POP/SMTP, mobile sync), VPN endpoints, administrative consoles, and remote access tools (RDP, SSH, remote support platforms).
- For each email access method, review authentication configuration settings in the mail server or identity provider console to confirm MFA is required and cannot be bypassed.
- For VPN systems, export authentication configuration and conditional access policies to verify MFA enforcement rules and review logs showing MFA challenges during recent connection attempts.
- Identify a sample of administrative accounts across directories (Active Directory, cloud IAM, privileged access management systems) and review their authentication policies to confirm MFA is mandatory.
- Review remote access service configurations (Remote Desktop Gateway, jump servers, SSH bastions) to confirm MFA integration and enforcement at the authentication layer.
- Conduct simulated authentication tests using test accounts or with IT supervision: attempt to authenticate to email, VPN, admin consoles, and remote access services using only username and password to verify that access is denied without the second factor.
- Review access logs and authentication audit trails from the past 30-90 days to confirm that all successful logins to in-scope systems include MFA events and identify any bypass patterns or legacy authentication protocols still in use.