Home · Synthesis · cl-multi-factor-authentication

Multi-factor authentication — universal MFA across access types

CSA CCM v4 PCI DSS ISO 27001 NIST CSF 2.0 SOC 2 TDPSA

Primary statement

MFA per CSA IAM-14 (cloud — all human, console, CLI, API), PCI 8.4.2 + 8.5.1 (universal CDE MFA, replay-resistant, non-bypassable, ≥2 categories), ISO 27001 A.5.16 + A.5.17 + A.8.5 identity and authentication lifecycle, SOC 2 + TDPSA. Universal MFA is the modern access ceiling.

Audit-fatigue payoff

A unified MFA enforcement matrix + phishing-resistant factor adoption + identity lifecycle integration satisfies MFA requirements across all 6 contributing frameworks. PCI 8.4.2 + 8.5.1 form the strictest reference.

Strictness matrix

Scope

Scope: ALL access into CDE (admin, non-admin, application, service-to-service). Universal MFA scope. Ceiling source: pci_dss:PCI.8.4.2 Rationale: PCI 8.4.2 universal scope is the strictest.

Threshold

Threshold: replay-resistant + non-bypassable by any users including administrators + ≥2 independent factor categories. Ceiling source: pci_dss:PCI.8.5.1 Rationale: PCI 8.5.1 four-condition threshold is binary.

Method

Method: MFA enforced for all human cloud access + privileged access + CDE access; ≥2 independent categories; replay-resistant implementation; phishing-resistant factors preferred (FIDO2/hardware tokens); identity lifecycle per ISO A.5.16; authentication info management per A.5.17. Ceiling source: csa_ccm:CSA.IAM-14 Rationale: CSA IAM-14 cloud + PCI 8.5.1 + ISO A.5.x combined are the most prescriptive.

Frequency

MFA enforcement: per authentication event. Implementation review: annual + on material change. Ceiling source: pci_dss:PCI.8.4.2 Rationale: Per-event enforcement is the floor.

Evidence

Evidence: MFA enforcement matrix + factor inventory + replay-resistance evidence + non-bypassability evidence + identity lifecycle records. Ceiling source: pci_dss:PCI.8.4.2 Rationale: PCI 8.4.2 evidence is comprehensive.

Auditor test pattern

Step 1: Inspect MFA enforcement matrix. Step 2: Verify ≥2 independent factor categories. Step 3: Verify replay-resistance + non-bypassability. Step 4: Sample privileged access events; verify MFA. Step 5: Verify phishing-resistant factor adoption.

Common findings

Common findings: (1) MFA for admin only, not all access types; (2) Service-to-service via API keys bypasses MFA; (3) SMS/OTP not phishing-resistant; (4) Break-glass admin bypasses MFA.