AUTH-2 Multi Factor Authentication (MFA)

What is AUTH-2 Multi Factor Authentication (MFA) control?

Similarly to SSO, multi-factor authentication is a best practice recommendation for critical systems, but it is not mandatory.

An organization requires a unique username and password to authenticate with any system, program, or data. Having multi-factor authentication is the industry’s best practice and enhances the protection mechanism, but that decision remains at the discretion of each organization.

Available tools in the marketplace

The following listing is “crowdsourced” from our customer base or from external research. TrustCloud does not personally recommend any of the tools, as we haven’t personally used them.

Authentication Tools

Okta

Duo

Auth0

Azure AD

Available templates

TrustCloud has a curated list of templates, internally or externally sourced, to help you get started. Click on the link for a downloadable version:

• N/A: no template is available for this control

Control implementation

NOTE: This control is 100% automated by TrustCloud. Connect your system to enjoy the benefits of automation.
To implement this control manually,
Implement MFA configuration settings for each system, especially critical systems. As noted in the above section, this is not mandatory.

What evidence do auditors look for?

Most auditors, at a minimum, are looking for the below-suggested action:

1. Upload a screenshot of the configuration settings that show MFA enabled for all users.

Evidence example

For the suggested action, an example is provided below:

1. Upload a screenshot of the configuration settings that show Multi-Factor Authentication (MFA) enabled for all users.
   The following screenshots show how you can enable MFA settings in different ways.