MFA Infrastructure Implementation

We implement MFA methods matched to security requirements. WebAuthn/FIDO2 (YubiKeys, platform authenticators) provides phishing-resistant authentication for high-security roles. TOTP (authenticator apps) is suitable for most users. Push notifications (Duo, Okta Verify) balance security with convenience. SMS-based MFA is disabled — it is vulnerable to SIM swapping and NIST deprecated it years ago. We support multiple methods per user with phishing-resistant required for admin roles.

MFA is enforced at every access point: AWS IAM policies with aws:MultiFactorAuthPresent condition keys, Kubernetes API server requiring MFA-authenticated OIDC tokens, VPN connections requiring certificate plus TOTP, SSH access via SSM Session Manager with IdP MFA, and database access through Vault with MFA-required policies. IAM policies deny all actions without MFA — no backdoor paths exist. SCP policies enforce MFA requirements at the organization level.

Not every action requires the same level of authentication. We implement risk-based conditional access: read access to staging from a trusted network might require only SSO. Write access to production always requires MFA. Administrative actions require phishing-resistant MFA (hardware key). Access from untrusted networks or new devices triggers step-up authentication. Conditional policies are managed in the IdP and enforced consistently across all connected systems.

MFA recovery is a security-sensitive process. We implement: backup authentication methods (recovery codes stored securely), self-service enrollment with identity verification, lost device procedures with identity validation by IT, and hardware token inventory management. Enrollment is mandatory within 7 days of account creation. Users without MFA enrolled are blocked from production access automatically. Recovery procedures are tested quarterly and documented in the security runbook.