MID-045: Multi-factor Authentication
Mitigation Tier: Intermediate
Description
Multi-factor authentication “requires users to present two or more authentication factors at login to verify their identity before they are granted access.” [1] These typically include some combination of 1) something you know, like a password; 2) something you have, like a hardware or mobile token; or 3) something you are, such as fingerprints or other biometric data [1, 2]. Devices will not authenticate a user unless all required forms of authentication are presented.
Threat actors therefore will not be able to authenticate to a device with simple username/password combinations that can be intercepted, phished, guessed by brute-force, or otherwise acquired.
IEC 62443 4-2 Mappings
- CR 1.1 - Human user interaction and authentication - RE (2) Multifactor authentication for all interfaces
References
[1] CISA. “Multi-factor Authentication.” cisa.gov. Accessed: Aug. 28, 2024. [Online.] Available: https://www.cisa.gov/sites/default/files/publications/MFA-Fact-Sheet-Jan22-508.pdf
[2] P. Grassi, J. Fenton, E. Newton, R. Perlner, A. Regensheid, W. Burr, J. Richer, N. Lefkovitz, J. Danker, Y. Choong, K. Greene, and M. Theofanos. “NIST 800-63B - Digital Identity Guidelines - Authentication and Lifecycle Management.” nist.gov. Accessed: Aug. 28, 2024. [Online.] Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf
[3] H. Guevera. “Multi-factor Authentication Guide.” Auth0 by Okta Blog. Accessed: Aug. 28, 2024. [Online]. Available: https://auth0.com/blog/multifactor-authentication-mfa/