MFA for all user accounts
Demonstrate that multi-factor authentication is enforced for 100% of user accounts across all systems, applications, and access methods with no unauthorized exceptions or bypass mechanisms.
Description
What this control does
Multi-factor authentication (MFA) for all user accounts requires users to present at least two independent authentication factors—something they know (password), something they have (hardware token, mobile device), or something they are (biometric)—before gaining access to systems or applications. This control applies to all interactive user sessions including administrative, privileged, remote, and standard business user accounts across on-premises, cloud, and hybrid environments. MFA significantly reduces the risk of credential-based attacks by ensuring that compromised passwords alone cannot grant unauthorized access.
Control objective
What auditing this proves
Demonstrate that multi-factor authentication is enforced for 100% of user accounts across all systems, applications, and access methods with no unauthorized exceptions or bypass mechanisms.
Associated risks
Risks this control addresses
- Credential stuffing attacks using stolen username/password combinations from third-party breaches to gain unauthorized access
- Phishing attacks that successfully harvest user passwords but cannot complete authentication without the second factor
- Password reuse across personal and corporate accounts enabling lateral movement after external compromise
- Brute force attacks against weak or common passwords succeeding without additional authentication barriers
- Session hijacking where attackers replay stolen session tokens without re-authentication challenges
- Insider threats from former employees or contractors who retain knowledge of credentials after termination
- Compromise of service accounts or shared credentials that lack individual accountability and second-factor protection
Live threat patterns this control mitigates:
Testing procedure
How an auditor verifies this control
- Obtain a complete inventory of all systems, applications, and services that authenticate interactive users, including cloud platforms, VPNs, email, remote desktop solutions, and line-of-business applications.
- Review authentication policy documentation and configuration standards to identify stated MFA requirements, approved MFA methods, and documented exception processes.
- Export and analyze user account lists from identity providers (Active Directory, Azure AD, Okta, etc.) to identify total population of enabled accounts subject to MFA requirements.
- Review authentication system configuration settings and conditional access policies to verify MFA enforcement rules are enabled and applied to all user groups without blanket exclusions.
- Select a representative sample of at least 25-30 user accounts stratified across user types (standard users, administrators, contractors, service desks) and attempt test logins to verify MFA prompts appear and function correctly.
- Query authentication logs for a 30-90 day period to identify any successful authentication events that did not include MFA verification, filtering for interactive logins versus programmatic access.
- Review exception or exemption lists to validate that any MFA exclusions are documented, justified with compensating controls, time-limited, and approved by appropriate authority.
- Test bypass scenarios including legacy protocol access (IMAP, POP, SMTP), API authentication, and emergency access accounts to confirm either MFA is enforced or documented compensating controls exist.
Where this control is tested