Assign MFA mechanisms to a single account
Summary
The system must associate each secondary authentication mechanism with a single account.
Description
Single-factor authentication mechanisms often offer poor security due to the weak, common or easy-to-guess passwords that users tend to set. Secondary authentication mechanisms, such as physical or logical security tokens, smart cards and certificates, help guarantee the identity of actors trying to authenticate. However, their value highly decreases when they are shared by multiple accounts.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Essential | 🔴 |
| Advanced | 🟢 |
References
- CWE™-287. Improper authentication
- CWE™-1390. Weak Authentication
- OWASP TOP 10-A7. Identification and authentication failures
- NYDFS-500_12. Multi-factor authentication
- MITRE ATT&CK®-M1032. Multi-factor authentication
- PA-DSS-3_1_5. Payment application does not require or use any group, shared, or generic accounts and passwords
- PA-DSS-8_3. Operation of two-factor authentication technologies for secure remote access
- SANS 25-13. Improper authentication
- CMMC-IA_L2-3_5_3. Multifactor authentication
- CMMC-MA_L2-3_7_5. Nonlocal maintenance
- CMMC-MP_L2-3_8_1. Media protection
- CMMC-PE_L1-3_10_1. Limit physical access
- CMMC-PE_L1-3_10_5. Manage physical access
- FedRAMP-IA-2_11. Identification and authentication - Remote access, separate device
- FedRAMP-PE-3. Physical access control
- ISA/IEC 62443-CR-1_1-RE_2. Multifactor authentication for all interfaces
- OWASP Top 10 Privacy Risks-P2. Operator-sided data leakage
- NIST 800-171-5_3. Use multifactor authentication for local and network access to privileged accounts
- CWE TOP 25-287. Improper authentication
- SWIFT CSCF-4_2. Multi-factor authentication
- SWIFT CSCF-5_2. Token management
- OWASP ASVS-14_2_4. Dependency
- C2M2-4_1_h. Establish identities and manage authentication
- C2M2-4_1_i. Establish identities and manage authentication
- PCI DSS-8_3_11. An authentication factor cannot be used by anyone other than the user assigned
- SIG Lite-SL_75. Is two factor authentication required to access the production environment containing scoped data?
- SIG Lite-SL_76. Are staff able to access client scoped data?
- CASA-2_10_1. Service Authentication
- Resolution SB 2021 2126-Art_30_8. Security in Electronic Channels - Digital Banking
- OWASP MASVS-AUTH-3. The app secures sensitive operations with additional authentication
- NIST CSF-PR_AA-03. Users, services, and hardware are authenticated
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.