MFA on every social account (hardware key for Tier-1)
Demonstrate that multi-factor authentication is enforced on all organizational social media accounts, with hardware security keys mandated for Tier-1 accounts as defined by account classification policy.
Description
What this control does
This control mandates the activation of multi-factor authentication (MFA) on all corporate and business-related social media accounts, with hardware-based authentication keys (e.g., FIDO2 U2F tokens) required for Tier-1 accounts. Tier-1 typically includes accounts with high visibility, executive access, or brand control authority. The control reduces reliance on SMS or app-based authentication for critical accounts by enforcing phishing-resistant hardware tokens. Social media accounts represent a significant attack surface for brand hijacking, reputational damage, and credential stuffing campaigns.
Control objective
What auditing this proves
Demonstrate that multi-factor authentication is enforced on all organizational social media accounts, with hardware security keys mandated for Tier-1 accounts as defined by account classification policy.
Associated risks
Risks this control addresses
- Credential stuffing attacks leveraging leaked passwords from third-party breaches to gain unauthorized access to social media accounts
- Phishing attacks bypassing SMS or TOTP-based MFA through real-time proxy or SIM-swap techniques
- Account takeover leading to brand impersonation, fraudulent communications, or coordinated disinformation campaigns
- Insider threats or credential sharing enabling unauthorized posts or account modifications without detection
- Loss of account recovery access due to inadequate MFA enrollment, preventing legitimate restoration after lockout
- Regulatory or contractual non-compliance when social media accounts process or access customer data without adequate authentication controls
- Supply chain compromise when contractors or third-party agencies retain access to accounts without MFA enforcement
Testing procedure
How an auditor verifies this control
- Obtain the complete inventory of organizational social media accounts, including platform names, account handles, business purpose, and assigned ownership or access roles.
- Request the written account classification policy defining Tier-1 criteria and obtain the current list of accounts designated as Tier-1.
- For a representative sample of at least 10 accounts (including all Tier-1 accounts and a random sample of non-Tier-1), log into each platform's administrative or security settings to verify MFA enrollment status.
- Verify that Tier-1 accounts specifically show hardware security key authentication methods enabled, documented by screenshot or configuration export showing authentication method types.
- Review access logs or authentication event data from each sampled platform for the past 30 days to confirm MFA challenges were presented during login attempts.
- Interview account administrators to confirm hardware security keys have been physically issued to Tier-1 account holders and backup recovery procedures are documented.
- Request and review change control or onboarding records for any new social media accounts created in the past 12 months to verify MFA activation is part of the provisioning workflow.
- Test one Tier-1 account by requesting a demonstration of login using the hardware security key, observing the authentication flow and confirming the key is required to complete access.
Where this control is tested