1.4 Ensure that 'Allow users to remember multi-factor authentication on devices they trust' is 'Disabled'

Information

Do not allow users to remember multi-factor authentication on devices.

Rationale:

Remembering Multi-Factor Authentication(MFA) for devices and browsers allows users to have the option to by-pass MFA for a set number of days after performing a successful sign-in using MFA. This can enhance usability by minimizing the number of times a user may need to perform two-step verification on the same device. However, if an account or device is compromised, remembering MFA for trusted devices may affect security. Hence, it is recommended that users not be allowed to bypass MFA.

Impact:

For every login attempt, the user will be required to perform multi-factor authentication.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

From Azure Console

Go to Azure Active Directory

Go to Users

Go to All Users

Click on Multi-Factor Authentication button on the top bar

Click on service settings

Disable Allow users to remember multi-factor authentication on devices they trust

Default Value:

By default, 'Allow users to remember multi-factor authentication on devices they trust' is disabled.

See Also

https://workbench.cisecurity.org/files/3459

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2(1), 800-53|IA-2(2), CSCv7|16.3

Plugin: microsoft_azure

Control ID: 6946df8c66d9e5eea35d05a048c7b1c142f223a51a7713150d17d7edb75a1217