IA-2(11)—Identification And Authentication (Organizational Users)

PBMM (P2)

Secret (P2)

Technical

>Control Description

IDENTIFICATION AND AUTHENTICATION | REMOTE ACCESS - SEPARATE DEVICE The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system being accessed and the device meets ⚙organization-defined strength of mechanism requirements.

>Supplemental Guidance

For remote access to privileged/non-privileged accounts, the purpose of requiring a device that is separate from the information system being accessed as one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. For example, adversaries deploying malicious code on organizational information systems can potentially compromise such credentials resident on the system and subsequently impersonate authorized users. Related control: AC-6.

>Tailoring Guidance

Depending on robustness requirements, multifactor authentication can be addressed using a software-based certificate in conjunction with a username and password or hardware cryptographic tokens. For additional guidance please refer to ITSG-31 User Authentication Guidance for IT Systems.

Ask AI

Configure your API key to use AI features.