Multi-Factor Auth
Require multiple authentication factors for access.
9 of 9 frameworks cover this control
Framework Mappings
How Multi-Factor Auth maps to each of the 6 cybersecurity frameworks tracked by ControlMap.
| Framework | Status | Control IDs |
|---|---|---|
| NIST CSF 2.0 | Covered | PR.AA-03 |
| ISO 27001 | Covered | A.8.5 |
| CIS v8 | Covered | CIS 6.3 CIS 6.4 CIS 6.5 |
| SOC 2 | Covered | CC6.1 |
| PCI DSS | Covered | 8.4.1 8.4.2 8.4.3 |
| CMMC | Covered | IA.L2-3.5.3 |
| 800-53 | Covered | IA-2 |
| HIPAA | Covered | §164.312(d) |
| GDPR | Covered | Art.32(1)(b) |
About Multi-Factor Auth
Multi-Factor Auth is a cybersecurity control in the Protect domain. Require multiple authentication factors for access. Multi-factor authentication (MFA) significantly reduces the risk of account compromise by requiring users to present two or more verification factors, typically combining something they know (password), something they have (hardware token or mobile device), and something they are (biometrics). MFA is now considered a baseline security requirement across virtually all compliance frameworks and is especially critical for privileged accounts, remote access, and cloud service authentication. Organizations should prioritize phishing-resistant MFA methods such as FIDO2 security keys or passkeys over SMS-based codes, which are vulnerable to SIM-swapping attacks.
This control is recognized by 9 of the 6 major frameworks: NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR. It has full coverage across all ${FW_KEYS.length} frameworks.