Multi-factor authentication, by surface. "Available but not enforced" is a partial — it still scores as a gap.
Stolen credentials are the #1 way attackers get in, and unenforced MFA is a leading reason claims are denied.
What strong practice looks like
MFA enforced across remote access, privileged accounts, email, and critical apps.
What this area covers
MFA on remote network access (VPN, RDP, gateways)
MFA (multi-factor authentication) means logging in takes more than just a password — a second step proves it’s really you. The most familiar example is the code your bank texts you, or a prompt in an app like Google Authenticator, Microsoft Authenticator, or Duo. Something you know (a password) plus something you have (the code or device).
This section asks about MFA on different surfaces — remote access, email, admin accounts, and key apps — because a login can be protected in one place but not another. “Available but not enforced” means the option exists but staff aren’t required to use it; that still counts as a gap.
CISA — More than a Password (MFA) ↗ — what good looks like
Also covered in this area
- MFA on email (webmail and mail apps)
- MFA on privileged / admin and cloud-admin accounts
- MFA on all business-critical applications
This library is general education, not advice about your specific organization. It describes what each control is and what strong practice looks like; whether and how any of it applies to you is your decision, in consultation with your carrier, broker, or counsel.