APPL-12-003020 - The macOS system must use multifactor authentication for local access to privileged and non-privileged accounts.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


Without the use of multifactor authentication, the ease of access to privileged and non-privileged functions is greatly increased.

Multifactor authentication requires using two or more factors to achieve authentication.

Factors include:
1) something a user knows (e.g., password/PIN);
2) something a user has (e.g., cryptographic identification device, token); and
3) something a user is (e.g., biometric).

A privileged account is defined as an information system account with authorizations of a privileged user.

Local access is defined as access to an organizational information system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network.

The DoD CAC with DoD-approved PKI is an example of multifactor authentication.

Satisfies: SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055, SRG-OS-000068-GPOS-00036


This setting is enforced using the 'Smart Card Policy' configuration profile.

Note: Before applying the 'Smart Card Policy', the supplemental guidance provided with the STIG must be consulted to ensure continued access to the operating system.

See Also

Item Details

References: CAT|I, CCI|CCI-000187, CCI|CCI-000767, CCI|CCI-000768, Rule-ID|SV-252527r816395_rule, STIG-ID|APPL-12-003020, Vuln-ID|V-252527

Plugin: Unix

Control ID: 9beffb8ba600ab2d2f771edb916bbc16c1a1ad64bc27f77f8185cbfff745dc4f