MFA enforced for all employees
Demonstrate that multi-factor authentication is enforced for all employee accounts across all in-scope systems and applications without exception.
Description
What this control does
Multi-factor authentication (MFA) requires all employees to present at least two distinct authentication factors—such as a password plus a time-based one-time password (TOTP), push notification, or hardware token—before accessing corporate systems and applications. This control is typically enforced through identity and access management (IAM) platforms, directory services (e.g., Active Directory, Azure AD, Okta), and application-level policies. MFA significantly reduces the risk of credential-based attacks by ensuring that compromised passwords alone cannot grant unauthorized access.
Control objective
What auditing this proves
Demonstrate that multi-factor authentication is enforced for all employee accounts across all in-scope systems and applications without exception.
Associated risks
Risks this control addresses
- Unauthorized access through stolen, phished, or brute-forced employee credentials
- Account takeover due to password reuse across personal and corporate accounts
- Lateral movement within the network following initial compromise of a single-factor account
- Insider threat escalation when departing employees retain knowledge of passwords but not second factors
- Compliance violations resulting in regulatory fines or loss of certification (e.g., PCI-DSS, HIPAA, SOC 2)
- Data exfiltration or ransomware deployment via compromised remote access sessions
- Social engineering attacks that harvest passwords but cannot bypass the second authentication factor
Testing procedure
How an auditor verifies this control
- Obtain a complete inventory of all systems, applications, and remote access portals used by employees, including VPNs, email, SaaS platforms, and administrative consoles.
- Review identity provider (IdP) or IAM platform configuration exports to identify MFA enforcement policies applied to employee user groups.
- Select a representative sample of at least 20 employee accounts spanning different departments, roles, and seniority levels.
- Attempt to authenticate to each in-scope system using sampled accounts with valid passwords but without providing the second factor, verifying that access is denied.
- Examine authentication logs for the sampled accounts over the past 30 days to confirm that all successful logins included MFA verification events.
- Interview IT administrators to identify any documented exceptions, service accounts, or break-glass procedures, and review formal approval records for those exceptions.
- Review user provisioning and onboarding workflows to confirm that MFA enrollment is mandatory before new employees gain access to corporate resources.
- Test one emergency access or break-glass account, if applicable, to verify that compensating controls such as alerts, time-limited access, and audit trails are in place.