IA-2(1): Multi-factor Authentication to Privileged Accounts

CSF v1.1 References:

Threats Addressed:


  • Low
  • Moderate
  • High

Previous Version:

Info icon.

Incorporates the following controls from the previous version of the control set: IA-2(3): Local Access To Privileged Accounts, IA-5(11): Hardware Token-Based Authentication.

Control Statement

Implement multi-factor authentication for access to privileged accounts.

Supplemental Guidance

Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication factors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authenticator such as a cryptographic private key), or something you are (e.g., a biometric). Multi-factor authentication solutions that feature physical authenticators include hardware authenticators that provide time-based or challenge-response outputs and smart cards such as the U.S. Government Personal Identity Verification (PIV) card or the Department of Defense (DoD) Common Access Card. In addition to authenticating users at the system level (i.e., at logon), organizations may employ authentication mechanisms at the application level, at their discretion, to provide increased security. Regardless of the type of access (i.e., local, network, remote), privileged accounts are authenticated using multi-factor options appropriate for the level of risk. Organizations can add additional security measures, such as additional or more rigorous authentication mechanisms, for specific types of access.