Multi-Factor Authentication (MFA)

Multi-factor authentication, commonly abbreviated MFA, requires users to present two or more independent credentials when authenticating: something they know like a password, something they have like a hardware token or phone, and something they are like a fingerprint or face scan. SOC 2 considers MFA a baseline control for any system holding sensitive data or production access. Audits expect MFA to be enforced on identity providers, administrative access to production systems, source control, cloud consoles, and any other sensitive applications. Modern MFA implementations favor phishing-resistant methods like hardware security keys or platform authenticators over SMS-based codes, which can be intercepted through SIM-swap attacks. Auditors test MFA by sampling user accounts, verifying MFA is enabled and required, reviewing authentication logs for any non-MFA logins to in-scope systems, and examining exception processes for accounts where MFA is not technically possible. MFA gaps are a common cause of breaches and a frequent finding in SOC 2 exception reports.