3.5.3 Multifactor Authentication

3.5.3 multifactor authentication MFA

Multifactor Authentication: #2 of the top 10 “Other than Satisfied Requirements” for 800-171 assessments by DIBCAC.

๐”๐ฌ๐ž ๐ฆ๐ฎ๐ฅ๐ญ๐ข๐Ÿ๐š๐œ๐ญ๐จ๐ซ ๐š๐ฎ๐ญ๐ก๐ž๐ง๐ญ๐ข๐œ๐š๐ญ๐ข๐จ๐ง ๐Ÿ๐จ๐ซ ๐ฅ๐จ๐œ๐š๐ฅ ๐š๐ง๐ ๐ง๐ž๐ญ๐ฐ๐จ๐ซ๐ค ๐š๐œ๐œ๐ž๐ฌ๐ฌ ๐ญ๐จ ๐ฉ๐ซ๐ข๐ฏ๐ข๐ฅ๐ž๐ ๐ž๐ ๐š๐œ๐œ๐จ๐ฎ๐ง๐ญ๐ฌ ๐š๐ง๐ ๐Ÿ๐จ๐ซ ๐ง๐ž๐ญ๐ฐ๐จ๐ซ๐ค ๐š๐œ๐œ๐ž๐ฌ๐ฌ ๐ญ๐จ ๐ง๐จ๐ง-๐ฉ๐ซ๐ข๐ฏ๐ข๐ฅ๐ž๐ ๐ž๐ ๐š๐œ๐œ๐จ๐ฎ๐ง๐ญ๐ฌ.

My theory is that most of the time when this requirement is failed, it is because the IT department didn’t know about the Assessment Objectives (AOs) so they were surprised during the assessment. See the picture below for the full list of Assessment Objectives.

When most people read this requirement, they think of the MFA available from their cloud providers. For example, many defense contractors have MFA through Azure Active Directory / Office 365 which displays an MFA challenge when they connect to it. Unfortunately, MFA from your cloud only handles two of the four Assessment Objectives (the ones that say “network access”).

What is this applicable to? Workstations, servers, and potentially even network devices. Especially for devices that are considered “CUI Assets”, though I think that most assessors feel MFA is applicable to any accounts in a directory that manages access to CUI.

Think that logging on from a specific location counts? Or that your laptop is “something you have?” Think again. Those won’t pass.

Where do companies go wrong? #1: They forget that one of the AOs requires MFA for ๐ฉ๐ซ๐ข๐ฏ๐ข๐ฅ๐ž๐ ๐ž๐ ๐’๐’๐’„๐’‚๐’ logon.

What is ๐’๐’๐’„๐’‚๐’? This means  logging in with an account where authentication traffic does not traverse a network. Think cached credentials or accounts stored on the device.

What is ๐ฉ๐ซ๐ข๐ฏ๐ข๐ฅ๐ž๐ ๐ž๐? An account with admin rights, such as root, administrator, or your personal admin account.

Common solutions for MFA for ๐ฉ๐ซ๐ข๐ฏ๐ข๐ฅ๐ž๐ ๐ž๐ ๐’๐’๐’„๐’‚๐’ logon? Fingerprint scanners ๐Ÿ‘†๐Ÿฝ, smart-cards or pluggable drives with certificate logon ๐ŸŽซ, or time-based authenticator codes ๐Ÿ”Ÿ.

Where do companies go wrong? #2: They don’t address the full scope of their environment.

I’ve heard second-and-third-hand stories of DIBCAC assessors failing companies because their firewall administrator console didn’t prompt for MFA. The stories are horror genre because it is hard to find firewalls that have the ability to support MFA.


Common solution for devices that don’t support MFA: Implement a “Privileged Access Workstation”, “Bastion host”, or “Jump box” which prompts for MFA before you can connect to the administrative console for firewalls, Linux servers, and other devices that don’t easily support MFA. If your firewall can be administered from outside, lock that down.

I expect a few people are hyperventilating into a paper bag after reading this. Would love to hear your thoughts, solutions, and stories about MFA. Is it true that MFA has been expected on network devices? What about printers?

Leave a Reply

Your email address will not be published. Required fields are marked *