MFA Policy Generator

# MULTI-FACTOR AUTHENTICATION POLICY

**Organization:** Your Company, Inc.
**Industry:** Professional Services
**Effective Date:** 2026-05-12
**Review Cycle:** Annual

---

## 1. Purpose

This policy establishes the mandatory use of multi-factor authentication (MFA) for access to Your Company, Inc. information systems, cloud services, and network resources. MFA reduces the risk of credential-based compromise — the leading cause of data breaches.

## 2. Scope

This policy applies to:
- All full-time, part-time, and temporary employees
- Contractors, consultants, and vendors with system access
- All company-owned and personal devices used to access company resources
- All SaaS applications, cloud platforms, and on-premises systems containing company or customer data

## 3. MFA Requirements

### 3.1 General Requirement
All user accounts with access to Your Company, Inc. systems **must** enroll in multi-factor authentication within 14 days of account provisioning. Accounts not enrolled by this deadline shall be disabled until enrollment is completed.

### 3.2 Approved Authentication Methods
The following MFA methods are approved for use:

- Authenticator apps (Microsoft/Google/Authy)
- FIDO2 security keys / Passkeys


**SMS-based MFA is NOT approved** as a standalone factor due to SIM swap and interception risks. SMS may only be used as a fallback where no other method is available, and only with documented business justification.


### 3.3 Phishing-Resistant MFA
FIDO2 security keys or platform passkeys are **required** for the following user categories:
- Global administrators and tenant-level privileged roles
- Accounts with access to financial systems or customer PII
- Executive leadership and board members


## 4. Privileged Accounts

Privileged administrative accounts must be separate from daily-use accounts. Administrators shall not perform administrative tasks from accounts used for email, web browsing, or general productivity. Privileged accounts require:
- Dedicated admin-only identities
- Phishing-resistant MFA (FIDO2, passkeys)
- Just-in-time elevation via PIM or equivalent
- Session recording and audit logging

## 5. Conditional Access and Risk Assessment

Risk-based Conditional Access policies shall be implemented to:
- Block sign-ins from anonymizing services (Tor, unknown VPNs)
- Require MFA for all sign-ins from untrusted locations
- Require device compliance for access to sensitive resources
- Enforce step-up authentication on high-risk sign-ins (impossible travel, unfamiliar sign-in properties)
- Block legacy authentication protocols (IMAP, POP, SMTP Basic Auth)

## 6. Re-authentication and Session Lifetime

- Standard users: re-authentication required every **30 days**
- Privileged users: re-authentication required every **7 days** or on elevation
- Browser sessions may remain signed in only on managed, compliant devices
- Public or shared devices must never be marked as "trusted" or "remember me"

## 7. Enrollment and Support

- IT shall provide self-service enrollment documentation and assistance
- Account recovery requires identity verification via established helpdesk procedures
- Lost authenticators must be reported to IT within 4 business hours

## 8. Enforcement

Violation of this policy may result in:
- Immediate revocation of system access
- Disciplinary action consistent with HR policy
- Termination of contractor or vendor agreements

## 9. Exceptions

Exceptions to this policy must be submitted in writing and approved by the Information Security Officer. Exceptions are documented, time-bound, and reviewed at least quarterly.

## 10. Policy Review

This policy shall be reviewed annually by the Information Security Officer and updated to reflect changes in threat landscape, technology, and regulatory requirements.

---

*Generated by LayerLogix MFA Policy Generator — https://layerlogix.com*