The sub-techniques beta is now live! Read the release blog post for more info.

Multi-factor Authentication

Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.

ID: M1032
Version: 1.0
Created: 10 June 2019
Last Modified: 10 June 2019

Techniques Addressed by Mitigation

Domain ID Name Description
Enterprise T1098 Account Manipulation

Use multi-factor authentication for user and privileged accounts.

Enterprise T1017 Application Deployment Software

Use multi-factor authentication for accounts used with application deployment software.

Enterprise T1110 Brute Force

Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.

Enterprise T1136 Create Account

Use multi-factor authentication for user and privileged accounts.

Enterprise T1530 Data from Cloud Storage Object

Consider using multi-factor authentication to restrict access to resources and cloud storage APIs.

Enterprise T1114 Email Collection

Use of multi-factor authentication for public-facing webmail servers is a recommended best practice to minimize the usefulness of usernames and passwords to adversaries.

Enterprise T1133 External Remote Services

Use strong two-factor or multi-factor authentication for remote service accounts to mitigate an adversary's ability to leverage stolen credentials, but be aware of Two-Factor Authentication Interception techniques for some two-factor authentication implementations.

Enterprise T1040 Network Sniffing

Use multi-factor authentication wherever possible.

Enterprise T1076 Remote Desktop Protocol

Use multi-factor authentication for remote logins.[1]

Enterprise T1021 Remote Services

Use multi-factor authentication on remote service logons where possible.

Enterprise T1539 Steal Web Session Cookie

A physical second factor key that uses the target login domain as part of the negotiation protocol will prevent session cookie theft through proxy methods.[2]

Enterprise T1072 Third-party Software

Ensure proper system and access isolation for critical network systems through use of multi-factor authentication.

Enterprise T1078 Valid Accounts

Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs.

References