800-53|IA-2(11)

Title

REMOTE ACCESS - SEPARATE DEVICE

Description

The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [Assignment: organization-defined strength of mechanism requirements].

Supplemental

For remote access to privileged/non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. For example, adversaries deploying malicious code on organizational information systems can potentially compromise such credentials resident on the system and subsequently impersonate authorized users.

Reference Item Details

Related: AC-6

Category: IDENTIFICATION AND AUTHENTICATION

Parent Title: IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)

Family: IDENTIFICATION AND AUTHENTICATION

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.8.8 Ensure users must authenticate users using MFA via a graphical user logonUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.10 Ensure required packages for multifactor authentication are installedUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.10 Ensure required packages for multifactor authentication are installed - escUnixCIS Amazon Linux 2 STIG v1.0.0 L3
1.10 Ensure required packages for multifactor authentication are installed - pam_pkcs11UnixCIS Amazon Linux 2 STIG v1.0.0 L3
5.4.9 Ensure multifactor authentication for access to privileged accounts - PAM.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.4.10 Ensure certificate status checking for PKI authenticationUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
AIX7-00-003200 - The AIX operating system must use Multi Factor Authentication - powerscMFA.licenseUnixDISA STIG AIX 7.x v2r6
AIX7-00-003200 - The AIX operating system must use Multi Factor Authentication - powerscMFA.pam.baseUnixDISA STIG AIX 7.x v2r6
AIX7-00-003200 - The AIX operating system must use Multi Factor Authentication - powerscMFA.pam.fallbackUnixDISA STIG AIX 7.x v2r6
AIX7-00-003200 - The AIX operating system must use Multi Factor Authentication - powerscMFA.pam.pmfamapperUnixDISA STIG AIX 7.x v2r6
AIX7-00-003200 - The AIX operating system must use Multi Factor Authentication - powerscMFA.pam.usbsmartcardUnixDISA STIG AIX 7.x v2r6
AOSX-14-003025 - The macOS system must implement multifactor authentication for remote access to privileged accounts in such a way that one of the factors is provided by a device separate from the system gaining access.UnixDISA STIG Apple Mac OSX 10.14 v2r6
Big Sur - Disable Password Authentication for SSHUnixNIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Enforce Smartcard AuthenticationUnixNIST macOS Big Sur v1.4.0 - 800-53r4 High
Big Sur - Enforce Smartcard AuthenticationUnixNIST macOS Big Sur v1.4.0 - 800-53r5 High
Big Sur - Enforce Smartcard AuthenticationUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Low
Big Sur - Enforce Smartcard AuthenticationUnixNIST macOS Big Sur v1.4.0 - 800-53r4 Moderate
Big Sur - Enforce Smartcard AuthenticationUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
Big Sur - Enforce Smartcard AuthenticationUnixNIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Enforce Smartcard AuthenticationUnixNIST macOS Big Sur v1.4.0 - 800-171
Big Sur - Enforce Smartcard AuthenticationUnixNIST macOS Big Sur v1.4.0 - CNSSI 1253
Big Sur - Enforce Smartcard AuthenticationUnixNIST macOS Big Sur v1.4.0 - 800-53r4 Low
Catalina - Disable Password Authentication for SSHUnixNIST macOS Catalina v1.5.0 - All Profiles
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - CNSSI 1253
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - 800-53r5 Low
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - All Profiles
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - 800-53r5 High
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - 800-53r5 Moderate
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - 800-171
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - 800-53r4 Moderate
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - 800-53r4 High
Catalina - Enforce Smartcard AuthenticationUnixNIST macOS Catalina v1.5.0 - 800-53r4 Low
Monterey - Disable Password Authentication for SSHUnixNIST macOS Monterey v1.0.0 - 800-171
Monterey - Disable Password Authentication for SSHUnixNIST macOS Monterey v1.0.0 - 800-53r4 Low
Monterey - Disable Password Authentication for SSHUnixNIST macOS Monterey v1.0.0 - 800-53r5 Moderate
Monterey - Disable Password Authentication for SSHUnixNIST macOS Monterey v1.0.0 - 800-53r4 High
Monterey - Disable Password Authentication for SSHUnixNIST macOS Monterey v1.0.0 - 800-53r4 Moderate
Monterey - Disable Password Authentication for SSHUnixNIST macOS Monterey v1.0.0 - CNSSI 1253
Monterey - Disable Password Authentication for SSHUnixNIST macOS Monterey v1.0.0 - 800-53r5 Low
Monterey - Disable Password Authentication for SSHUnixNIST macOS Monterey v1.0.0 - 800-53r5 High
Monterey - Disable Password Authentication for SSHUnixNIST macOS Monterey v1.0.0 - All Profiles
Monterey - Enforce Smartcard AuthenticationUnixNIST macOS Monterey v1.0.0 - 800-171
Monterey - Enforce Smartcard AuthenticationUnixNIST macOS Monterey v1.0.0 - 800-53r4 Low
Monterey - Enforce Smartcard AuthenticationUnixNIST macOS Monterey v1.0.0 - 800-53r5 Moderate
Monterey - Enforce Smartcard AuthenticationUnixNIST macOS Monterey v1.0.0 - All Profiles
Monterey - Enforce Smartcard AuthenticationUnixNIST macOS Monterey v1.0.0 - 800-53r5 High
Monterey - Enforce Smartcard AuthenticationUnixNIST macOS Monterey v1.0.0 - 800-53r4 High
Monterey - Enforce Smartcard AuthenticationUnixNIST macOS Monterey v1.0.0 - 800-53r5 Low
Monterey - Enforce Smartcard AuthenticationUnixNIST macOS Monterey v1.0.0 - CNSSI 1253
Monterey - Enforce Smartcard AuthenticationUnixNIST macOS Monterey v1.0.0 - 800-53r4 Moderate