Skip to content
Home » IT Policies » Multi-Factor Authentication (MFA) Policy

Multi-Factor Authentication (MFA) Policy

1. Purpose

The purpose of this Multi-Factor Authentication (MFA) Policy is to establish requirements for the use of multi-factor authentication to strengthen identity verification and reduce the risk of unauthorized access to organizational systems, applications, networks, cloud services, and information assets.

Passwords alone are vulnerable to compromise through phishing, credential theft, brute-force attacks, social engineering, malware, and credential reuse. Multi-factor authentication provides an additional layer of security by requiring multiple forms of verification before access is granted.

This policy establishes the organization’s requirements for implementing, managing, and maintaining MFA controls.

2. Scope

This policy applies to:

  • All employees
  • Contractors
  • Consultants
  • Temporary personnel
  • Interns
  • Third-party personnel with authorized access to organizational resources

This policy applies to access involving:

  • Workstations
  • Servers
  • Cloud services
  • Business applications
  • Administrative systems
  • Remote access solutions
  • Virtual private networks (VPNs)
  • Email systems
  • Databases
  • Identity management platforms
  • Mobile applications
  • Internet-facing systems

The policy applies to all organizationally managed identities and systems where MFA is supported.

3. Policy Statement

The organization shall implement multi-factor authentication for systems and accounts based on risk, business requirements, regulatory obligations, and the sensitivity of information being accessed.

MFA shall be required for privileged access, remote access, access to sensitive information, and access to critical systems whenever technically feasible.

Users shall successfully complete MFA verification before access is granted to protected resources.

4. Objectives

The objectives of this policy are to:

  • Reduce the risk of unauthorized access.
  • Protect against credential compromise.
  • Strengthen authentication security.
  • Support secure remote access.
  • Protect sensitive and critical information.
  • Support compliance requirements.
  • Reduce account takeover risks.
  • Improve overall organizational security posture.

5. Definitions

Multi-Factor Authentication (MFA)

An authentication mechanism that requires two or more independent authentication factors to verify a user’s identity.

Authentication Factor

A category of evidence used to verify identity.

Authentication factors generally include:

  • Something you know (password or PIN)
  • Something you have (security token or mobile device)
  • Something you are (biometric characteristic)

Privileged Account

An account with elevated permissions capable of administering systems, modifying security controls, or accessing sensitive resources.

Adaptive Authentication

An authentication process that evaluates risk factors and may require additional verification based on user behavior, location, device, or other conditions.

Authentication Token

A physical or virtual device used to generate authentication codes or cryptographic responses.

6. Roles and Responsibilities

Executive Management

Responsible for:

  • Supporting MFA initiatives.
  • Providing resources for MFA implementation.
  • Reviewing significant authentication-related risks.

Information Security Team

Responsible for:

  • Establishing MFA requirements.
  • Monitoring MFA effectiveness.
  • Managing authentication-related risks.
  • Reviewing exceptions.
  • Investigating authentication-related incidents.

Information Technology Team

Responsible for:

  • Implementing MFA solutions.
  • Managing authentication systems.
  • Supporting MFA enrollment processes.
  • Maintaining authentication infrastructure.
  • Supporting users experiencing authentication issues.

Managers and Supervisors

Responsible for:

  • Ensuring personnel comply with MFA requirements.
  • Supporting enforcement activities.
  • Reporting authentication concerns.

Users

Responsible for:

  • Enrolling in required MFA systems.
  • Protecting authentication devices and credentials.
  • Reporting lost or compromised authentication factors.
  • Following authentication procedures.

7. Multi-Factor Authentication Program

The organization shall maintain a Multi-Factor Authentication Program that includes:

  • MFA deployment
  • User enrollment
  • Authentication management
  • Access control integration
  • Monitoring and logging
  • Incident response integration
  • User support
  • Periodic review

The program shall be reviewed regularly for effectiveness.

8. MFA Requirements

Multi-factor authentication shall be required whenever technically feasible for:

  • Administrative access
  • Remote access
  • VPN access
  • Cloud services
  • Email systems
  • Access to sensitive information
  • Access to critical business systems
  • Privileged account usage

Additional systems may be included based on risk assessments.

9. Approved Authentication Factors

Approved authentication factors may include:

Knowledge Factors

  • Passwords
  • Passphrases
  • Personal identification numbers (PINs)

Possession Factors

  • Authenticator applications
  • Hardware security keys
  • Smart cards
  • One-time password tokens
  • Mobile authentication devices

Inherence Factors

  • Fingerprint recognition
  • Facial recognition
  • Other approved biometric methods

Authentication methods shall be approved by the Information Security Team.

10. Prohibited Authentication Methods

The following may be restricted or prohibited based on risk:

  • Shared authentication devices
  • Unapproved authentication applications
  • Weak or insecure authentication mechanisms
  • Authentication methods that do not meet organizational security standards

Users shall not bypass MFA controls.

11. Administrative Access Requirements

All privileged and administrative accounts shall utilize MFA whenever technically feasible.

Administrative MFA requirements shall apply to:

  • Domain administration
  • Server administration
  • Cloud administration
  • Security administration
  • Network administration
  • Database administration

Administrative access shall receive the highest level of authentication protection.

12. Remote Access Requirements

Users accessing organizational resources remotely shall authenticate using MFA.

Remote access includes:

  • VPN connections
  • Cloud-based services
  • Remote desktop services
  • Administrative remote access
  • Third-party remote access

Remote access sessions may be subject to additional authentication controls.

13. Cloud Service Authentication

Cloud-based services shall utilize MFA whenever supported.

Examples include:

  • Productivity platforms
  • Email services
  • File-sharing platforms
  • Business applications
  • Identity management systems

Cloud service providers shall be configured to enforce MFA where feasible.

14. Enrollment Procedures

Users required to use MFA shall complete enrollment procedures before access is granted.

Enrollment activities may include:

  • Identity verification
  • Device registration
  • Authentication application setup
  • Security key assignment
  • Recovery method registration

Enrollment records shall be maintained where appropriate.

15. Authentication Device Protection

Users shall protect authentication devices and factors from unauthorized access.

Users shall:

  • Secure mobile authentication devices.
  • Protect hardware tokens.
  • Safeguard security keys.
  • Prevent unauthorized use of authentication factors.

Authentication devices shall not be shared.

16. Lost, Stolen, or Compromised Authentication Factors

Users shall immediately report:

  • Lost authentication devices
  • Stolen authentication devices
  • Suspected compromise
  • Unauthorized authentication activity

Appropriate actions may include:

  • Credential revocation
  • Device replacement
  • MFA re-enrollment
  • Incident investigation

Compromised authentication factors shall be disabled promptly.

17. Backup and Recovery Methods

Approved backup authentication methods may be provided to support account recovery.

Recovery methods may include:

  • Backup authentication codes
  • Secondary authentication devices
  • Identity verification procedures
  • Service desk assistance

Recovery processes shall include identity verification controls.

18. Adaptive and Risk-Based Authentication

The organization may implement adaptive authentication controls based on risk.

Risk factors may include:

  • Geographic location
  • Device reputation
  • Network source
  • Login behavior
  • Threat intelligence indicators

Additional authentication verification may be required when elevated risk is detected.

19. Third-Party Access

Third-party users accessing organizational systems shall utilize MFA when required.

Third-party MFA requirements may apply to:

  • Vendors
  • Service providers
  • Contractors
  • Business partners

Third-party authentication controls shall be reviewed periodically.

20. Service Accounts and Non-Human Identities

Where MFA is not technically feasible for service accounts or automated processes, compensating controls shall be implemented.

Compensating controls may include:

  • Strong credential management
  • Credential rotation
  • Access restrictions
  • Monitoring and logging
  • Network segmentation

Exceptions shall be documented and approved.

21. Monitoring and Logging

MFA-related activities shall be logged and monitored.

Logged events may include:

  • Authentication attempts
  • Failed authentication attempts
  • MFA enrollment events
  • Device registration events
  • Authentication factor changes
  • Administrative actions

Logs shall be protected and retained according to organizational requirements.

22. Security Awareness

Personnel shall receive training regarding:

  • MFA requirements
  • Authentication security
  • Phishing-resistant practices
  • Authentication device protection
  • Account recovery procedures

Awareness activities shall be conducted periodically.

23. Compliance and Auditing

Compliance with this policy shall be verified through:

  • Authentication reviews
  • Access control assessments
  • Internal audits
  • External audits
  • Compliance evaluations

Findings shall be documented and addressed through corrective action processes.

24. Exceptions

Exceptions to this policy must:

  • Be documented
  • Include business justification
  • Include risk assessment
  • Identify compensating controls
  • Be approved by management
  • Be reviewed periodically

Temporary exceptions shall include expiration dates.

25. Enforcement

Violations of this policy may result in:

  • Removal of access privileges
  • Suspension of accounts
  • Disciplinary action
  • Contract termination
  • Legal action where applicable

26. Review and Maintenance

This policy shall be reviewed:

  • At least annually
  • Following significant authentication-related incidents
  • Following regulatory changes
  • Following major technology changes
  • Following updates to authentication platforms

Updates shall be approved by executive management.

27. Related Policies

  • Information Security Policy
  • Identity and Access Management Policy
  • Access Control Policy
  • Password Policy
  • Privileged Access Management Policy
  • Remote Access Policy
  • Security Monitoring and Logging Policy
  • Incident Response Policy

28. Policy Approval

Policy Owner: Chief Information Security Officer (CISO) or Information Security Manager

Approved By: Executive Management

Effective Date: __________________

Review Date: __________________

Version: 1.0