Multifactor Authentication - Updates

[dsdr0]

D3-MFA – Multi-Factor Authentication: The issue is with resource accounts that are used in conjunction with user accounts. MFA may include where the user and the device are authenticated. As an example, this is seen with MS AD authentications where if the user fails authentication or if the device fails authentication no authorization will be provided. An interesting aspect is that there would be no aspect of timing as a machine may be authenticated well before the user account potentially (at startup). This was ascertained while reviewing the ZT DOD Enterprise ICAM Reference Design document.
Per DOD Enterprise ICAM Reference Design - Multi-Factor Authentication (MFA) is a characteristic of an authentication system or an authenticator that requires more than one distinct authentication factor for successful authentication. Additional authenticators may include authenticating the device in addition to the user, requiring that the user enter a one-time password obtained from a device or mobile application, providing a code sent out-of-band to the user, or verifying a cryptographic token
possessed by the user. An MFA can be performed using a single authenticator that provides more than one factor or by a combination of authenticators that provide different factors. Different MFA technologies have different authenticator assurance levels, depending on the factors selected.

Definition: Requiring proof of two or more pieces of evidence in order to authenticate a user.

Definition (Suggested): Requiring proof of two or more pieces of evidence in order to authenticate a user that include a combination of something you know, something you have, and something you are.

How it works: When logging into an account users present two or more credentials that fall into different categories: something you know (password or PIN), something you have (smart card or phone), or something you are (fingerprint).

How it works (Suggested): An authentication system that requires more than one distinct authentication factor for successful authentication. Multifactor authentication can be performed using a multifactor authenticator or by a combination of authenticators that provide different factors. [NIST]

Considerations: MFA configuration steps may vary across accounts and in some cases left up to users to activate and implement.

Considerations (Suggested): MFA may include user authentication (ex. Username/password) combined with device authentication (device certificate) to potentially meet MFA requirements.

[netfl0]

https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication/

Thank you @dsdr0 !