Is multi-factor authentication (MFA / 2-step verification) turned on for email and key business apps?
Demonstrate that multi-factor authentication is enforced for all user accounts accessing email and key business applications, with technical controls preventing single-factor authentication bypasses.
Description
What this control does
Multi-factor authentication (MFA) requires users to provide two or more verification factors—typically something they know (password), something they have (mobile device, hardware token), or something they are (biometric)—to access email systems and critical business applications. This control enforces MFA at the authentication boundary for all user accounts, reducing reliance on passwords alone. MFA significantly raises the barrier for attackers attempting credential theft, phishing, or brute-force attacks by requiring possession of a second factor that is difficult to compromise remotely.
Control objective
What auditing this proves
Demonstrate that multi-factor authentication is enforced for all user accounts accessing email and key business applications, with technical controls preventing single-factor authentication bypasses.
Associated risks
Risks this control addresses
- Unauthorized account access via stolen, phished, or brute-forced passwords without requiring a second authentication factor
- Lateral movement and data exfiltration following successful credential compromise of privileged or standard user accounts
- Business email compromise (BEC) attacks where attackers impersonate executives or employees to initiate fraudulent transactions
- Account takeover leading to malware distribution, spam campaigns, or reputational damage originating from legitimate user accounts
- Insider threat escalation where former employees or contractors retain access using compromised credentials after departure
- Compliance violations and regulatory penalties for failing to implement strong authentication controls required by data protection regulations
- Ransomware deployment facilitated by authenticated access to cloud storage, email systems, or file shares using compromised credentials
Testing procedure
How an auditor verifies this control
- Obtain a complete inventory of all email systems (Microsoft 365, Google Workspace, on-premises Exchange) and key business applications (ERP, CRM, HRIS, financial systems, remote access portals) in scope for the organization.
- Review identity provider and authentication policy configurations to identify whether MFA is enabled and the enforcement scope (all users, specific groups, conditional access rules).
- Export and analyze authentication policies, conditional access policies, and MFA enrollment reports from each system to verify mandatory enforcement settings and identify exempted accounts.
- Select a representative sample of user accounts spanning different roles (standard users, administrators, executives, contractors) and review their MFA enrollment status and method types (SMS, authenticator app, hardware token, biometric).
- Conduct test authentications using sample accounts to verify that MFA challenges are presented before granting access and that single-factor authentication attempts are blocked or denied.
- Review exception lists, service accounts, and emergency access accounts to determine if MFA exemptions exist, and validate that documented business justifications and compensating controls are in place.
- Examine access logs and authentication audit trails over a defined period (30-90 days) to identify any successful authentications that bypassed MFA and investigate root causes.
- Interview IT administrators and security personnel to confirm MFA rollout completion dates, user training activities, helpdesk support procedures, and incident response protocols for MFA-related security events.