Multi-Factor Authentication Configuration Procedure
| Property | Value |
|---|---|
| Document ID | PROC-002 |
| Version | 1.0 |
| Status | Draft |
| Owner | IT Operations Manager |
| Last Updated | 2026-01-11 |
| Next Review | 2027-01-11 |
| Related Controls | SOC 2: CC6.1, CC6.6 / ISO 27001: A.9.4 |
| Parent Policy | Password & Authentication Policy (POL-003) |
1. Purpose
This procedure defines the steps for configuring, enrolling, and managing multi-factor authentication (MFA) across organizational systems to protect against unauthorized access and credential-based attacks.
2. Scope
This procedure applies to:
- Systems: All applications and systems requiring MFA
- Users: All employees, contractors, and third-party users
- MFA Methods: Hardware keys, authenticator apps, push notifications
- Responsible Parties: IT Operations, Security, End Users
3. MFA Requirements
3.1 MFA Coverage
| System Category | MFA Requirement | Enforcement |
|---|---|---|
| Identity Provider (SSO) | Required | Enforced at login |
| Required (via SSO) | SSO enforcement | |
| Cloud Console (AWS/GCP/Azure) | Required | IAM policy |
| VPN/Remote Access | Required | Gateway enforcement |
| Source Code (GitHub) | Required | Organization policy |
| Production Systems | Required | PAM/Bastion |
| Admin/Privileged Accounts | Required (phishing-resistant) | IAM policy |
| All Applications via SSO | Required | SSO enforcement |
3.2 Approved MFA Methods
| Method | Security Level | Use Cases | Notes |
|---|---|---|---|
| Hardware Security Key (FIDO2/WebAuthn) | Highest | Privileged users, high-risk roles | Phishing-resistant |
| Platform Authenticator | High | All users with compatible devices | Windows Hello, Touch ID |
| TOTP Authenticator App | Medium | Standard users | Google/Microsoft Authenticator |
| Push Notification (with number matching) | Medium | Standard users | Duo, Okta Verify |
| SMS | Low | Legacy/fallback only | Not recommended, phase out |
4. MFA Enrollment Procedure
4.1 New User Enrollment
┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ Account │───▶│ User │───▶│ Configure │───▶│ Verify │───▶│ Document │
│ Created │ │ Notified │ │ Primary │ │ Backup │ │ Complete │
└─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘
| Step | Action | Owner | Notes |
|---|---|---|---|
| 1 | User account created in IdP | IT Operations | As part of onboarding |
| 2 | User receives enrollment notification | System | Email with enrollment link |
| 3 | User logs in with temporary password | User | First login |
| 4 | User prompted to enroll MFA | System | Mandatory enrollment |
| 5 | User configures primary MFA method | User | Preferred: Security key or authenticator |
| 6 | User configures backup MFA method | User | At least one backup required |
| 7 | User generates and stores recovery codes | User | Store securely (password manager) |
| 8 | Enrollment confirmed in IdP | System | User status updated |
4.2 Enrolling Hardware Security Key (FIDO2)
Prerequisites:
- FIDO2-compatible security key (YubiKey, Titan, etc.)
- Supported browser (Chrome, Firefox, Edge, Safari)
- WebAuthn-enabled IdP
Steps:
- Log in to identity provider (Okta, Azure AD, etc.)
- Navigate to Security Settings > Authentication Methods
- Select "Add Security Key"
- Insert security key into USB port (or tap for NFC)
- When prompted, touch the security key to confirm
- Name the security key (e.g., "Primary YubiKey - Work")
- Click "Complete Registration"
- Important: Register a backup security key following same steps
- Store backup key in secure location
4.3 Enrolling Authenticator App (TOTP)
Prerequisites:
- Smartphone with authenticator app installed
- Approved apps: Google Authenticator, Microsoft Authenticator, Authy, 1Password
Steps:
- Log in to identity provider
- Navigate to Security Settings > Authentication Methods
- Select "Add Authenticator App"
- Open authenticator app on phone
- Scan QR code displayed on screen
- Enter 6-digit code from app to verify
- Name the device (e.g., "iPhone - Work Phone")
- Click "Complete Registration"
- Save backup codes securely
4.4 Enrolling Push Notification (with Number Matching)
Prerequisites:
- Smartphone with Okta Verify, Duo, or equivalent app
- Number matching must be enabled (prevents push fatigue attacks)
Steps:
- Log in to identity provider
- Navigate to Security Settings > Authentication Methods
- Select "Add Push Notification"
- Download and open the verification app
- Scan QR code or enter setup key
- Approve test push notification
- Confirm number displayed matches
- Registration complete
5. MFA Administration
5.1 Enabling MFA for Applications
| Application Type | Configuration Location | Notes |
|---|---|---|
| SSO-enabled apps | Identity Provider | Automatic via SSO |
| AWS | IAM > MFA Policy | Use SCP for enforcement |
| GCP | Cloud Identity / IAM | Organization policy |
| Azure | Conditional Access | Require MFA policy |
| GitHub | Organization Settings | Require 2FA for members |
| Non-SSO apps | Application settings | Per-app configuration |
5.2 Identity Provider MFA Policy Configuration
Okta Example:
Authentication Policy:
├── Name: MFA Required - All Users
├── Conditions:
│ ├── Users: All users
│ ├── Applications: All integrated apps
│ └── Network: Any network
└── Actions:
├── Require MFA: Always
├── Allowed Methods: WebAuthn, TOTP, Push
└── Remember Device: 24 hours (trusted devices only)
5.3 Privileged User MFA Requirements
Privileged/admin accounts require enhanced MFA:
| Requirement | Standard |
|---|---|
| MFA Method | Phishing-resistant (FIDO2/WebAuthn) preferred |
| Session Duration | Maximum 4 hours |
| Re-authentication | Required for sensitive operations |
| Backup Method | Hardware key (not SMS) |
6. MFA Recovery Procedures
6.1 Lost MFA Device
┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ User │───▶│ Verify │───▶│ Reset │───▶│ Re-enroll │
│ Reports │ │ Identity │ │ MFA │ │ New MFA │
└─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘
Steps:
| Step | Action | Owner | Notes |
|---|---|---|---|
| 1 | User contacts IT Help Desk | User | Via phone or in-person |
| 2 | Help Desk verifies identity | IT Help Desk | Manager confirmation or in-person ID |
| 3 | Help Desk resets MFA in IdP | IT Help Desk | Clear all enrolled methods |
| 4 | User receives new enrollment link | System | Time-limited (1 hour) |
| 5 | User enrolls new MFA device | User | Follow enrollment procedure |
| 6 | User enrolls backup method | User | Required |
| 7 | Ticket closed with documentation | IT Help Desk | Record identity verification method |
6.2 Recovery Codes
| Requirement | Standard |
|---|---|
| Generation | At MFA enrollment |
| Storage | Password manager only |
| Usage | One-time use, regenerate after use |
| Quantity | 10 codes generated |
| Reporting | User should report when codes used |
6.3 Temporary MFA Bypass
Only in emergency situations:
| Requirement | Standard |
|---|---|
| Authorization | Security Team approval required |
| Duration | Maximum 4 hours |
| Logging | All access logged during bypass |
| Documentation | Ticket with justification |
| Follow-up | MFA must be re-enrolled before bypass expires |
7. Phishing-Resistant MFA Configuration
7.1 Enabling WebAuthn/FIDO2
Okta Configuration:
- Admin Console > Security > Authenticators
- Add Authenticator > Security Key or Biometric
- Configure settings:
- Enrollment: Optional or Required
- User verification: Required
- Credential attachment: Cross-platform
- Create Authentication Policy requiring WebAuthn for high-risk scenarios
Azure AD Configuration:
- Azure Portal > Azure AD > Security > Authentication Methods
- Enable FIDO2 Security Key
- Configure:
- Allow self-service set up: Yes
- Enforce attestation: Yes
- Key restrictions: Allow AAGUID list (optional)
- Create Conditional Access Policy requiring phishing-resistant MFA
7.2 Phishing-Resistant MFA Rollout
| Phase | Scope | Timeline |
|---|---|---|
| Phase 1 | IT and Security teams | Immediate |
| Phase 2 | Privileged users (admins, finance, HR) | 30 days |
| Phase 3 | All employees (optional) | 90 days |
| Phase 4 | All employees (required for high-risk) | 180 days |
8. Monitoring and Compliance
8.1 MFA Compliance Reporting
| Report | Frequency | Audience |
|---|---|---|
| MFA enrollment status | Weekly | IT Operations |
| Users without MFA | Weekly | Security Team |
| MFA method distribution | Monthly | Security Team |
| Failed MFA attempts | Daily (alerts) | Security Team |
| Recovery code usage | Per occurrence | Security Team |
8.2 MFA Metrics
| Metric | Target |
|---|---|
| MFA enrollment rate | 100% |
| Phishing-resistant MFA adoption | >50% privileged users |
| MFA bypass requests | <1% of users/month |
| Time to MFA enrollment (new users) | Day 1 |
9. Checklist: MFA Implementation
Initial Setup
- MFA enabled in identity provider
- Authentication policy created and enforced
- Approved MFA methods configured
- Recovery process documented
- Help desk trained on MFA procedures
Per-User Enrollment
- Primary MFA method enrolled
- Backup MFA method enrolled
- Recovery codes generated and stored securely
- User trained on MFA usage
Privileged Users
- Phishing-resistant MFA (FIDO2) enrolled
- Hardware security key issued
- Backup hardware key registered
10. Evidence Requirements
| Evidence Type | Description | Location | Retention |
|---|---|---|---|
| MFA Policy Configuration | Screenshots of IdP MFA settings | Document repository | Current |
| MFA Enrollment Report | List of users with MFA status | IdP export | Quarterly |
| MFA Reset Records | Tickets for MFA resets with identity verification | Ticketing system | 3 years |
| Bypass Requests | Any temporary MFA bypasses | Ticketing system | 3 years |
11. Related Documents
- Password & Authentication Policy (POL-003)
- Access Control Policy (POL-002)
- Access Provisioning/De-provisioning Procedure (PROC-001)
12. Version History
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | 2026-01-11 | IT Operations | Initial release |
This document is classified as INTERNAL. Unauthorized distribution is prohibited.