← All topics
Cyber-insurance readiness

Identity & Access — MFA

Multi-factor authentication, by surface. "Available but not enforced" is a partial — it still scores as a gap.

Why it matters

Stolen credentials are the #1 way attackers get in, and unenforced MFA is a leading reason claims are denied.

What strong practice looks like

MFA enforced across remote access, privileged accounts, email, and critical apps.

What this area covers

MFA on remote network access (VPN, RDP, gateways)

MFA (multi-factor authentication) means logging in takes more than just a password — a second step proves it’s really you. The most familiar example is the code your bank texts you, or a prompt in an app like Google Authenticator, Microsoft Authenticator, or Duo. Something you know (a password) plus something you have (the code or device).

This section asks about MFA on different surfaces — remote access, email, admin accounts, and key apps — because a login can be protected in one place but not another. “Available but not enforced” means the option exists but staff aren’t required to use it; that still counts as a gap.

Why this matters at claim time: MFA is one of the most closely scrutinized controls on a cyber-insurance application. If you attest that MFA is in place and it later turns out it wasn’t fully turned on, that gap can affect a claim. Answer for what’s actually enforced today.

CISA — More than a Password (MFA) ↗ — what good looks like

Also covered in this area

  • MFA on email (webmail and mail apps)
  • MFA on privileged / admin and cloud-admin accounts
  • MFA on all business-critical applications

This library is general education, not advice about your specific organization. It describes what each control is and what strong practice looks like; whether and how any of it applies to you is your decision, in consultation with your carrier, broker, or counsel.