Multi-Factor Authentication (MFA)

Why it matters

Compromised credentials remain the leading attack vector for unauthorized system access; MFA eliminates the risk of single-factor credential theft being sufficient to breach production systems. Without MFA, attackers who obtain passwords via phishing, data breaches, or social engineering gain immediate access to critical infrastructure, cloud consoles, and sensitive data—often without detection until significant damage occurs.

Evidence to collect

• Okta/Azure AD/Google Workspace policy report showing MFA enforcement per application and user group
• Screenshot of MFA enrollment flow with TOTP or hardware key configured for a test account
• Documented exceptions log listing accounts exempt from MFA with quarterly review sign-offs
• VPN and production bastion host access logs confirming MFA prompts for non-service-account access

Testing procedure

Request IdP policy reports and verify MFA is enforced for all human user roles accessing production systems, cloud consoles, and VPNs via conditional access rules or explicit group policy. Attempt to authenticate to each system with a valid credential but without completing MFA to confirm authentication fails. Query recent access logs (past 30 days) for any MFA bypass events or exempted accounts and validate all exceptions are documented with business justification and current approval.

Common gotchas