3.5.8 — Implement Replay-Resistant Authentication Mechanisms for Network Access to Non-Privileged Accounts

This extends replay-resistant authentication specifically to non-privileged (regular user) accounts accessing the network. Even standard users need protections against attackers capturing and replaying their login sessions.

If you have already implemented strong MFA and disabled legacy protocols for all accounts (not just admins), you are well on your way.

Example 1: In the Entra Admin Center, create a Conditional Access policy under Protection > Conditional Access that targets all users (not just admins). Set the grant control to require MFA with an authentication strength of "Phishing-resistant MFA." This ensures even standard user accounts use tokens that cannot be replayed.

Example 2: On your VPN appliance (e.g., Cisco AnyConnect), configure certificate-based authentication combined with TOTP. In the ASA configuration, set tunnel-group DefaultWEBVPNGroup webvpn-attributes and configure authentication certificate along with a secondary authentication source pointed to your RADIUS/MFA server. This provides two layers of replay-resistant authentication for every remote user session.