MFA enforced on VPN logins
Demonstrate that multi-factor authentication is technically enforced for all VPN authentication attempts and cannot be bypassed by users or administrators under normal operational conditions.
Description
What this control does
This control requires that all users connecting to the organization's Virtual Private Network (VPN) infrastructure must successfully authenticate using multi-factor authentication (MFA) before gaining access to internal resources. MFA enforcement typically involves combining something the user knows (password) with something they possess (hardware token, mobile authenticator app, SMS code, or biometric factor). This control prevents unauthorized access to the corporate network even when user credentials are compromised through phishing, password reuse, or credential stuffing attacks.
Control objective
What auditing this proves
Demonstrate that multi-factor authentication is technically enforced for all VPN authentication attempts and cannot be bypassed by users or administrators under normal operational conditions.
Associated risks
Risks this control addresses
- Unauthorized network access by external attackers using stolen or compromised user credentials obtained through phishing campaigns
- Lateral movement and data exfiltration following successful credential stuffing attacks leveraging passwords exposed in third-party breaches
- Insider threats or terminated employees accessing corporate resources using previously known credentials that have not been rotated
- Man-in-the-middle attacks where attackers intercept credentials during transmission and replay them to gain persistent network access
- Brute-force password attacks against VPN endpoints successfully compromising weak or default passwords without additional authentication barriers
- Unauthorized access from compromised personal devices or untrusted networks where credentials may be cached or logged by malware
- Compliance violations and regulatory penalties for failing to implement strong authentication controls required by data protection standards
Testing procedure
How an auditor verifies this control
- Obtain and review the current VPN gateway configuration file or policy document detailing authentication requirements for all VPN connection profiles.
- Verify that MFA enforcement is configured at the VPN gateway level rather than relying solely on optional client-side settings that users can disable.
- Identify all user groups, roles, and service accounts authorized for VPN access through Active Directory, LDAP, or the identity provider integration.
- Select a representative sample of at least 10-15 user accounts across different departments and privilege levels for testing.
- Attempt to authenticate to the VPN using valid username and password credentials only, without providing the second authentication factor, and confirm that access is denied.
- Review VPN authentication logs for the past 90 days to identify any successful logins that did not include MFA validation events or show single-factor authentication.
- Interview IT administrators to confirm no documented exceptions, bypass procedures, or legacy authentication methods exist that allow single-factor VPN access.
- Test MFA enrollment requirements by attempting to access VPN with a newly created test account and verify that MFA registration is mandatory before first successful connection.
Where this control is tested