Phishing-resistant MFA for admins
Demonstrate that all administrative accounts are protected by phishing-resistant MFA methods that cannot be intercepted, replayed, or socially engineered during authentication.
Description
What this control does
Phishing-resistant multi-factor authentication (MFA) for administrative accounts requires authentication methods that cannot be compromised through social engineering, credential phishing, or session hijacking attacks. This includes hardware security keys (FIDO2/WebAuthn), platform authenticators (TPM-backed), or certificate-based authentication, explicitly excluding SMS, voice calls, push notifications, and TOTP codes which remain vulnerable to real-time phishing and adversary-in-the-middle attacks. Administrative accounts—those with elevated privileges to configure systems, access sensitive data, or manage user permissions—represent the highest-value targets and require the strongest authentication assurance.
Control objective
What auditing this proves
Demonstrate that all administrative accounts are protected by phishing-resistant MFA methods that cannot be intercepted, replayed, or socially engineered during authentication.
Associated risks
Risks this control addresses
- Adversary-in-the-middle (AitM) attacks that intercept and replay TOTP codes or push notifications to gain administrative access
- Credential phishing campaigns targeting administrators using fake login portals that harvest passwords and one-time codes in real-time
- Session hijacking after administrators authenticate using non-cryptographically-bound MFA methods
- SIM-swapping or SMS interception attacks that compromise SMS-based second factors for privileged accounts
- Push notification fatigue attacks where attackers spam approval requests until administrators inadvertently approve malicious login attempts
- Unauthorized privileged access by threat actors who compromise traditional MFA through social engineering helpdesk staff
- Lateral movement and persistence by attackers who elevate privileges after bypassing weak MFA on administrative accounts
Testing procedure
How an auditor verifies this control
- Obtain a current inventory of all accounts with administrative, elevated, or privileged access across identity providers, cloud platforms, directory services, and management consoles.
- Review the organization's MFA policy documentation to identify which authentication methods are classified as phishing-resistant and approved for administrative use.
- Export MFA method configurations from each identity provider and authentication system, capturing the specific authenticator types registered to each administrative account.
- Select a representative sample of at least 20 administrative accounts spanning different systems, roles, and user populations for detailed verification.
- For each sampled account, verify the registered MFA methods match approved phishing-resistant types (FIDO2 security keys, platform authenticators with attestation, PKI certificates) and exclude vulnerable methods (SMS, voice, TOTP apps, push notifications).
- Conduct live authentication tests with at least three sampled administrators to observe the actual authentication flow and confirm hardware or platform authenticators are required and functioning.
- Review conditional access policies, authentication policies, and enforcement rules to confirm phishing-resistant MFA is mandated—not optional—for all administrative access paths including emergency access accounts.
- Examine audit logs from the past 90 days to identify any administrative authentication events using non-phishing-resistant methods and validate these represent documented exceptions with compensating controls or are false positives due to classification errors.