APPL-12-003020 - The macOS system must use multifactor authentication for local access to privileged and non-privileged accounts.


Without the use of multifactor authentication, the ease of access to privileged and non-privileged functions is greatly increased.

Multifactor authentication requires using two or more factors to achieve authentication.

Factors include:
1) something a user knows (e.g., password/PIN);
2) something a user has (e.g., cryptographic identification device, token); and
3) something a user is (e.g., biometric).

A privileged account is defined as an information system account with authorizations of a privileged user.

Local access is defined as access to an organizational information system by a user (or process acting on behalf of a user) communicating through a direct connection without the use of a network.

The DoD CAC with DoD-approved PKI is an example of multifactor authentication.

Satisfies: SRG-OS-000107-GPOS-00054, SRG-OS-000108-GPOS-00055, SRG-OS-000068-GPOS-00036


This setting is enforced using the 'Smart Card Policy' configuration profile.

Note: Before applying the 'Smart Card Policy', the supplemental guidance provided with the STIG must be consulted to ensure continued access to the operating system.

See Also

Item Details


References: 800-53|IA-2(3), 800-53|IA-2(4), 800-53|IA-5(2)(c), CAT|I, CCI|CCI-000187, CCI|CCI-000767, CCI|CCI-000768, Rule-ID|SV-252527r816395_rule, STIG-ID|APPL-12-003020, Vuln-ID|V-252527

Plugin: Unix

Control ID: 4027f2db0169f949b09483087fa000b830ba1a435c0d46b0237f6360cbbfcdcc