Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA) requires users to provide two or more verification factors to access a system — something you know (password), something you have (phone, security key, CAC), or something you are (fingerprint, face scan). MFA makes it dramatically harder for attackers to access your accounts, even if they steal your password.

In practice, MFA typically means entering your password and then confirming your identity through a second method — a code sent to your phone, a push notification on an authenticator app, or inserting a hardware security key. The DoD's CAC is a form of MFA: it combines something you have (the card) with something you know (your PIN).

Why It Matters

MFA is one of the most effective security controls available and is required under CMMC. Implementing MFA across all remote access and privileged accounts significantly reduces your risk of account compromise.

Related Resources

CMMC: IA.L2-3.5.3
NIST 800-171: 3.5.3
NIST 800-53: IA-2(1)
NIST 800-53: IA-2(2)