SB.9.011 Multi-Factor Authentication
Users must use a second factor to authenticate before accessing sensitive data or functionality.
Users are allowed to mark devices as trusted, not requiring MFA on that specific device for a maximum period of 30 days for access, if the device meets all requirements for a second factor (such as being personal and meeting all hardware requirements).
Users can mark a maximum of 5 devices as trusted. Authenticated users can access an overview of devices they have marked as trusted and be able to remove the trusted status of a device.
Only ‘what you know’ and ‘what you have’ are considered factors for MFA. There is no distinction in location. Therefore, no difference exists between an internal- and an external network for MFA.
Multi-layer authentication, twice the same authentication factor, is not MFA. Two-factor authentication is only two-factor when both steps are different factors.
Biometrics are not used as factor, but can be used as a usability feature instead of a PIN. MFA-tokens used as factors are user-specific and measures are in place to safeguard that these tokens remain strictly personal.
MFA implementations conform to at least MFA level 2 as listed under “Specification”.
MFA can be set by users and can only be turned off by using MFA, using a previously generated recovery-token, or by determining the identity of the user by an IdP owner mandated admin.
Rate limiting needs to be enforced for failed authentication attempts.
Within MFA there are a number of levels of assurance when it comes to authentication. The higher the level, the more certain the user's identity. Depending on the data classification, a specific level of MFA may be required. For any level, implementing a higher level is also acceptable. These levels are defined as follows:
● MFA level 1: Out-of band-unencrypted
◌ Short Message Service (SMS) and e-mail based technology. Sending a SMS or e-mail with a code to be input to authenticate.
● MFA level 2: Out-of-band encrypted
◌ A software token-based technology. This is software that resides on a device that can generate a code (token) in response to a challenge from the identity provider (IdP). This includes implementations that send a signal from the device to the IdP.
◌ Authenticators must validate to Authenticator Assurance Level 2, according to NIST Special Publication 800-63 section 4.2
● MFA level 3: Out-of-band hardware encrypted
◌ A hardware token-based technology. A hardened, separate, device whose sole purpose is to generate a code in response to a challenge from the IdP. This includes implementations that send a signal from the device to the service provider.
● MFA level 4: U2F
◌ Universal 2nd factor (U2F) based technology. Based on USB and NFC standards. The IdP challenge is not input by a person, but offered directly through a hardware device. It is required that implementations meet the U2F standard of the FIDO Alliance.
◌ At level 4, only a physical visit to the IdP administrators is accepted to reset MFA. It is allowed to use U2F technology at lower levels, whereby the weaker identification requirement applies. However, as soon as U2F is used for level 4, this stricter measure applies.
U2F standard: https://fidoalliance.org/specs/fido-u2f-v1.0-rd-20140209/fido-u2f-overview-v1.0-rd-20140209.pdf
NIST special publication 800-63: https://pages.nist.gov/800-63-3/sp800-63-3.html#sec4