MFA enforced for remote / VPN access
Demonstrate that multi-factor authentication is technically enforced for all remote and VPN access pathways, preventing authentication using password credentials alone.
Description
What this control does
This control mandates that all users connecting to organizational networks via remote access methods (VPN, remote desktop gateways, or cloud-based remote access solutions) must authenticate using multi-factor authentication (MFA). MFA requires presentation of at least two distinct authentication factors—typically something the user knows (password), something the user has (hardware token, mobile authenticator app, smart card), or something the user is (biometric). Enforcement prevents unauthorized access even when primary credentials are compromised through phishing, credential stuffing, or brute-force attacks.
Control objective
What auditing this proves
Demonstrate that multi-factor authentication is technically enforced for all remote and VPN access pathways, preventing authentication using password credentials alone.
Associated risks
Risks this control addresses
- Unauthorized remote access by external attackers using stolen or phished credentials
- Lateral movement from compromised personal devices lacking endpoint protection controls
- Credential stuffing attacks leveraging credentials from third-party data breaches
- Insider threats exploiting weak or shared passwords to gain unauthorized remote access
- Session hijacking following successful password-only authentication over insecure channels
- Compliance violations and regulatory penalties for insufficient access controls protecting sensitive data
- Data exfiltration by threat actors who gain persistent remote access through compromised accounts
Live threat patterns this control mitigates:
Testing procedure
How an auditor verifies this control
- Obtain and review current VPN and remote access technology inventory, including all vendor solutions, cloud-based remote desktop services, and clientless web-based access portals
- Retrieve authentication policy configurations from VPN concentrators, remote desktop gateway servers, and identity provider platforms (screenshots or configuration exports showing MFA enforcement settings)
- Review identity and access management (IAM) system settings to verify MFA enrollment requirements and enforcement rules for remote access user groups
- Select a representative sample of at least 10-15 active remote access accounts spanning different user roles and geographic locations from access logs or user directories
- Attempt test authentication to VPN and remote access services using valid credentials without presenting a second factor to confirm access is denied
- Examine authentication logs for sampled accounts over a 30-90 day period to verify all successful remote access sessions included MFA validation events
- Interview IT and security personnel to confirm exception processes, temporary bypass procedures, and break-glass account handling for emergency remote access scenarios
- Review change management records and security incident logs for any MFA bypass requests, approvals, or configuration changes during the audit period
Where this control is tested
Audit programs including this control
Ransomware Incident — Audit Program
Confirmed ransomware encryption + extortion event. Calls for the full playbook: MFA on remote access, immutable backups, EDR…
Remote Access and Credential Exposure Audit
Threat actors exploit weak VPN configurations and stolen or weakly protected credentials to gain initial access, then deploy…