Skip to content

M1032 Multi-factor Authentication

Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.

Item Value
ID M1032
Version 1.0
Created 10 June 2019
Last Modified 10 June 2019
Navigation Layer View In ATT&CK® Navigator

Techniques Addressed by Mitigation

Domain ID Name Use
enterprise T1098 Account Manipulation Use multi-factor authentication for user and privileged accounts.
enterprise T1098.001 Additional Cloud Credentials Use multi-factor authentication for user and privileged accounts. Consider enforcing multi-factor authentication for the CreateKeyPair and ImportKeyPair API calls through IAM policies.6
enterprise T1098.002 Additional Email Delegate Permissions Use multi-factor authentication for user and privileged accounts.
enterprise T1098.003 Additional Cloud Roles Use multi-factor authentication for user and privileged accounts.
enterprise T1098.005 Device Registration Require multi-factor authentication to register devices in Azure AD.1 Configure multi-factor authentication systems to disallow enrolling new devices for inactive accounts.2
enterprise T1110 Brute Force Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.
enterprise T1110.001 Password Guessing Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.
enterprise T1110.002 Password Cracking Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.
enterprise T1110.003 Password Spraying Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.
enterprise T1110.004 Credential Stuffing Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.
enterprise T1136 Create Account Use multi-factor authentication for user and privileged accounts.
enterprise T1136.001 Local Account Use multi-factor authentication for user and privileged accounts.
enterprise T1136.002 Domain Account Use multi-factor authentication for user and privileged accounts.
enterprise T1136.003 Cloud Account Use multi-factor authentication for user and privileged accounts.
enterprise T1530 Data from Cloud Storage Object Consider using multi-factor authentication to restrict access to resources and cloud storage APIs.8
enterprise T1213 Data from Information Repositories -
enterprise T1213.003 Code Repositories Use multi-factor authentication for logons to code repositories.
enterprise T1114 Email Collection Use of multi-factor authentication for public-facing webmail servers is a recommended best practice to minimize the usefulness of usernames and passwords to adversaries.
enterprise T1114.002 Remote Email Collection Use of multi-factor authentication for public-facing webmail servers is a recommended best practice to minimize the usefulness of usernames and passwords to adversaries.
enterprise T1133 External Remote Services Use strong two-factor or multi-factor authentication for remote service accounts to mitigate an adversary’s ability to leverage stolen credentials, but be aware of Multi-Factor Authentication Interception techniques for some two-factor authentication implementations.
enterprise T1556 Modify Authentication Process Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs.
enterprise T1556.001 Domain Controller Authentication Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs.
enterprise T1556.003 Pluggable Authentication Modules Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information.
enterprise T1556.004 Network Device Authentication Use multi-factor authentication for user and privileged accounts. Most embedded network devices support TACACS+ and/or RADIUS. Follow vendor prescribed best practices for hardening access control. 3
enterprise T1601 Modify System Image Use multi-factor authentication for user and privileged accounts. Most embedded network devices support TACACS+ and/or RADIUS. Follow vendor prescribed best practices for hardening access control.3
enterprise T1601.001 Patch System Image Use multi-factor authentication for user and privileged accounts. Most embedded network devices support TACACS+ and/or RADIUS. Follow vendor prescribed best practices for hardening access control.3
enterprise T1601.002 Downgrade System Image Use multi-factor authentication for user and privileged accounts. Most embedded network devices support TACACS+ and/or RADIUS. Follow vendor prescribed best practices for hardening access control.3
enterprise T1621 Multi-Factor Authentication Request Generation Implement more secure 2FA/MFA mechanisms in replacement of simple push or one-click 2FA/MFA options. For example, having users enter a one-time code provided by the login screen into the 2FA/MFA application or utilizing other out-of-band 2FA/MFA mechanisms (such as rotating code-based hardware tokens providing rotating codes that need an accompanying user pin) may be more secure. Furthermore, change default configurations and implement limits upon the maximum number of 2FA/MFA request prompts that can be sent to users in period of time.4
enterprise T1599 Network Boundary Bridging Use multi-factor authentication for user and privileged accounts. Most embedded network devices support TACACS+ and/or RADIUS. Follow vendor prescribed best practices for hardening access control.3
enterprise T1599.001 Network Address Translation Traversal Use multi-factor authentication for user and privileged accounts. Most embedded network devices support TACACS+ and/or RADIUS. Follow vendor prescribed best practices for hardening access control. 3
enterprise T1040 Network Sniffing Use multi-factor authentication wherever possible.
enterprise T1021 Remote Services Use multi-factor authentication on remote service logons where possible.
enterprise T1021.001 Remote Desktop Protocol Use multi-factor authentication for remote logins.5
enterprise T1021.004 SSH Require multi-factor authentication for SSH connections wherever possible, such as password protected SSH keys.
enterprise T1072 Software Deployment Tools Ensure proper system and access isolation for critical network systems through use of multi-factor authentication.
enterprise T1539 Steal Web Session Cookie A physical second factor key that uses the target login domain as part of the negotiation protocol will prevent session cookie theft through proxy methods.7
enterprise T1078 Valid Accounts -
enterprise T1078.002 Domain Accounts Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs.
enterprise T1078.004 Cloud Accounts Use multi-factor authentication for cloud accounts, especially privileged accounts. This can be implemented in a variety of forms (e.g. hardware, virtual, SMS), and can also be audited using administrative reporting features.9

References

Back to top