IA-2(1): Multi-factor Authentication to Privileged Accounts
- NIST Special Publication 800-53 Revision 4:
- IA-2(1): Network Access To Privileged Accounts
Incorporates the following controls from the previous version: IA-2(3): Local Access To Privileged Accounts, IA-5(11): Hardware Token-Based Authentication.
Implement multi-factor authentication for access to privileged accounts.
Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification (PIV) card or the Department of Defense (DoD) Common Access Card. In addition to authenticating users at the system level (i.e., at logon), organizations may employ authentication mechanisms at the application level, at their discretion, to provide increased security. Regardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access.