CME-801

Multi-Factor Authentication (MFA)

Harden Identity High Confidence

Description

Requires multiple authentication factors (password + TOTP/FIDO2/smart card), preventing credential-only compromise. Even stolen passwords are insufficient for access.

CVSS Vector Impacts

Metric Transition Rationale
Attack Complexity (AC) L H Stolen credential alone is insufficient; second factor required
Privileges Required (PR) N H Unauthenticated access impossible; multi-factor barrier

CWE Relationships

CWE-287 CWE-306 CWE-521

Verification

Verify MFA enforcement in PAM or IdP

$ grep pam_google_authenticator /etc/pam.d/sshd
# Expected: auth required pam_google_authenticator.so
Platform: linux
$ grep -r 'auth.*required.*pam_u2f' /etc/pam.d/
# Expected: pam_u2f.so
Platform: linux
← CME-710: DynamicUser (systemd) CME-802: Password Quality Enforcement (pwquality) →