Multi-factor authentication uses either: something users have and something users know, or something users have that is unlocked by something users know or are.
Topic
Multi-factor authentication
Applicable to
all
History
Priority
must
Oct 2019
Multi-factor authentication uses at least two of the following authentication factors: passwords, Universal 2nd Factor security keys, physical one-time password tokens, biometrics or smartcards.
Following a rigorous review of the ability of passwords used as part of multi-factor authentication to withstand attack, security control 1401 was modified while security controls 1559, 1560 and 1561 were added.
Sep 2019
Multi-factor authentication uses at least two of the following authentication factors: passwords with six or more characters, Universal 2nd Factor security keys, physical one-time password tokens, biometrics or smartcards.
Mar 2019
Multi-factor authentication uses at least two of the following authentication factors: passwords with six or more characters, Universal 2nd Factor (U2F) security keys, physical one-time password (OTP) tokens, biometrics or smartcards.
Security control 1401 was modified to clarify that any two different authentication factors constitute multi-factor authentication (e.g. the use of biometrics and a U2F security key).
Feb 2019
Multi-factor authentication uses passphrases with a minimum of six alphabetic characters and one of the following authentication factors: Universal 2nd Factor (U2F) security keys, physical one-time personal identification number (OTP) tokens, biometrics or smartcards.
2017
Agencies using passphrases as part of multi-factor authentication must ensure a minimumlength of six alphabetic characters with no complexity requirement.
Control Text Changed. No public explaination.
2015
Agencies using passphrases as part of multi-factor authentication must ensure a minimumlength of 6 alphabetic characters with no complexity requirement.