AAAI-17

For customers not using SSO, does your application and/or user frontend/portal support multifactor authentication (e.g., Duo, Google Authenticator, OTP, etc.)?

Explanation

This question is asking whether your application supports multi-factor authentication (MFA) for users who are not using Single Sign-On (SSO). Multi-factor authentication is a security mechanism that requires users to provide two or more verification factors to gain access to a system. These factors typically include: 1. Something you know (password) 2. Something you have (mobile device, hardware token) 3. Something you are (biometrics like fingerprints) The question specifically mentions examples like Duo (a popular MFA service), Google Authenticator (an app that generates time-based one-time passwords), and OTP (One-Time Passwords). Why this is asked in security assessments: - Passwords alone are vulnerable to various attacks (phishing, credential stuffing, brute force) - MFA significantly reduces the risk of unauthorized access even if passwords are compromised - Many compliance frameworks and security standards require or recommend MFA - It demonstrates your commitment to protecting user accounts and data How to best answer: - Be specific about what MFA methods your application supports - Mention if MFA is required or optional for users - Describe any implementation details that show the robustness of your MFA solution - If you don't support MFA for non-SSO users, explain any compensating controls or future plans

Example Responses

Example Response 1

Yes, our application supports multiple forms of multi-factor authentication for users not using SSO We currently support time-based one-time passwords (TOTP) via Google Authenticator, Authy, and other compatible authenticator apps We also support SMS-based verification codes and push notifications through Duo Security MFA is enforced for all administrative accounts and is available as an option for standard user accounts Our implementation follows NIST guidelines for MFA, including proper session management and secure storage of MFA verification data.

Example Response 2

Yes, our application supports multi-factor authentication for non-SSO users through several methods We have integrated with Okta Verify for push notifications and TOTP, YubiKey for hardware token authentication, and Microsoft Authenticator MFA is optional for standard users but can be made mandatory through administrative policy settings We also provide a recovery process that requires verification through multiple channels if a user loses access to their MFA device All MFA implementations are tested regularly as part of our security assessment program.

Example Response 3

No, our application currently does not support multi-factor authentication for users not utilizing SSO We recognize this as a security gap and have included MFA implementation in our product roadmap for Q3 of this year In the interim, we have implemented compensating controls including IP-based access restrictions, anomalous login detection, and strict password complexity requirements We also enforce session timeouts after 15 minutes of inactivity and maintain comprehensive login audit logs We recommend that customers who require MFA use our SSO integration capabilities, which do support passing through MFA verification from identity providers.

Context

Tab
Product
Category
Authentication, Authorization, and Account Management

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron