M1032: Multi-factor Authentication
Multi-Factor Authentication (MFA) enhances security by requiring users to provide at least two forms of verification to prove their identity before granting access. These factors typically include:
- *Something you know*: Passwords, PINs. - *Something you have*: Physical tokens, smartphone authenticator apps. - *Something you are*: Biometric data such as fingerprints, facial recognition, or retinal scans.
Implementing MFA across all critical systems and services ensures robust protection against account takeover and unauthorized access. This mitigation can be implemented through the following measures:
Identity and Access Management (IAM):
- Use IAM solutions like Azure Active Directory, Okta, or AWS IAM to enforce MFA policies for all user logins, especially for privileged roles. - Enable conditional access policies to enforce MFA for risky sign-ins (e.g., unfamiliar devices, geolocations). - Enable Conditional Access policies to only allow logins from trusted devices, such as those enrolled in Intune or joined via Hybrid/Entra.
Authentication Tools and Methods:
- Use authenticator applications such as Google Authenticator, Microsoft Authenticator, or Authy for time-based one-time passwords (TOTP). - Deploy hardware-based tokens like YubiKey, RSA SecurID, or smart cards for additional security. - Enforce biometric authentication for compatible devices and applications.
Secure Legacy Systems:
- Integrate MFA solutions with older systems using third-party tools like Duo Security or Thales SafeNet. - Enable RADIUS/NPS servers to facilitate MFA for VPNs, RDP, and other network logins.
Monitoring and Alerting:
- Use SIEM tools to monitor failed MFA attempts, login anomalies, or brute-force attempts against MFA systems. - Implement alerts for suspicious MFA activities, such as repeated failed codes or new device registrations.
Training and Policy Enforcement:
- Educate employees on the importance of MFA and secure authenticator usage. - Enforce policies that require MFA on all critical systems, especially for remote access, privileged accounts, and cloud applications.
Analyst context for executives and security teams
Multi-factor authentication is a business resilience control for reducing the value of stolen, guessed, reused, or default credentials. In ATT&CK, it is tied to account abuse, remote services, cloud services, brute force, account manipulation, and email collection, which makes MFA a priority control for protecting remote access, privileged access, cloud administration, and sensitive mail data.
Executive priority
Leaders should treat MFA as an identity control that supports continuity, incident containment, and audit evidence—not just a login feature. Priority questions are: Are all critical systems, cloud services, remote access paths, privileged roles, and legacy access methods covered? Are device registrations and MFA changes monitored? Are exceptions reviewed and time-bound? The main decision value is reducing the chance that a single compromised password becomes initial access, lateral movement, privilege escalation, or access to sensitive email and cloud resources.
Technical view
SOC, IAM, cloud, and IR teams should validate MFA enforcement across the ATT&CK-related use cases: Valid Accounts, Remote Services including RDP and SSH, Cloud Services, Software Deployment Tools, Brute Force variants, Account Manipulation, Device Registration, and Remote Email Collection. Because the ATT&CK object has no official detection section, coverage should be proven through control configuration review and telemetry validation: failed MFA attempts, repeated code failures, new authenticator or device registrations, risky sign-ins, conditional access outcomes, privileged role sign-ins, remote access logons, and cloud/email administrative actions.
Likely telemetry
- Identity provider authentication logs, including MFA success, failure, prompt, denial, and bypass/exception events
- Conditional access or access policy decision logs for risky sign-ins, unfamiliar devices, geolocation changes, and trusted-device requirements
- Privileged account and role sign-in records across IAM, cloud, SaaS, and administrative portals
- Remote access authentication logs for VPN, RDP, SSH, RADIUS/NPS, and other remote services where MFA is enforced
- MFA enrollment and device registration events, including new authenticator apps, hardware tokens, biometrics, or trusted devices
Detection direction
- Validate that MFA events are actually ingested and retained for the identity provider, cloud services, remote access services, and critical applications, not only for interactive workforce logins.
- Tune detections for repeated failed MFA codes, high-volume failures across accounts, new device registrations, MFA method changes, and successful authentication following suspicious failures.
- Correlate MFA events with related behaviors: Valid Accounts, Remote Services, Cloud Services, Brute Force, Account Manipulation, Device Registration, and Remote Email Collection.
- Review false positives from travel, device replacement, help desk enrollment, and legitimate administrative activity, but require strong change evidence for privileged accounts and critical systems.
- Look for blind spots around legacy systems, local/default accounts, service or automation accounts, SSH/RDP access, software deployment tooling, cloud consoles, and email platforms that may not enforce or log MFA consistently.
Mitigation priorities
- Start with privileged roles, remote access, cloud administration, identity provider access, and critical email or SaaS applications.
- Extend MFA to all critical systems and services, including domain, local, default, cloud, and container-related accounts where applicable and supported.
- Use conditional access policies for risky sign-ins and trusted-device requirements, especially for unfamiliar devices or geolocations.
- Secure legacy access paths through appropriate MFA integration for VPNs, RDP, SSH, RADIUS/NPS, and older systems where direct MFA support is limited.
- Monitor and govern MFA enrollment, device registration, recovery, and exceptions; exceptions should be documented, approved, time-limited, and reviewed.
Analyst notes and limits
This mitigation is especially material because many related ATT&CK techniques depend on valid credentials rather than malware. MFA does not eliminate account compromise risk, but it changes the defensive decision point: defenders need to prove where a password alone is still enough, where MFA can be enrolled or modified by an attacker, and where logs show the policy was enforced.
The source object does not specify platforms, tactics, or an official detection section for the mitigation itself. Related techniques provide context across Windows, Linux, macOS, ESXi, IaaS, Identity Provider, Office Suite, SaaS, Containers, Network Devices, and other environments, but actual applicability depends on the organization’s identity architecture, MFA methods, legacy systems, and log availability.
Multi-factor Authentication
Multi-Factor Authentication (MFA) enhances security by requiring users to provide at least two forms of verification to prove their identity before granting access. These factors typically include:
- *Something you know*: Passwords, PINs. - *Something you have*: Physical tokens, smartphone authenticator apps. - *Something you are*: Biometric data such as fingerprints, facial recognition, or retinal scans.
Implementing MFA across all critical systems and services ensures robust protection against account takeover and unauthorized access. This mitigation can be implemented through the following measures:
Identity and Access Management (IAM):
- Use IAM solutions like Azure Active Directory, Okta, or AWS IAM to enforce MFA policies for all user logins, especially for privileged roles. - Enable conditional access policies to enforce MFA for risky sign-ins (e.g., unfamiliar devices, geolocations). - Enable Conditional Access policies to only allow logins from trusted devices, such as those enrolled in Intune or joined via Hybrid/Entra.
Authentication Tools and Methods:
- Use authenticator applications such as Google Authenticator, Microsoft Authenticator, or Authy for time-based one-time passwords (TOTP). - Deploy hardware-based tokens like YubiKey, RSA SecurID, or smart cards for additional security. - Enforce biometric authentication for compatible devices and applications.
Secure Legacy Systems:
- Integrate MFA solutions with older systems using third-party tools like Duo Security or Thales SafeNet. - Enable RADIUS/NPS servers to facilitate MFA for VPNs, RDP, and other network logins.
Monitoring and Alerting:
- Use SIEM tools to monitor failed MFA attempts, login anomalies, or brute-force attempts against MFA systems. - Implement alerts for suspicious MFA activities, such as repeated failed codes or new device registrations.
Training and Policy Enforcement:
- Educate employees on the importance of MFA and secure authenticator usage. - Enforce policies that require MFA on all critical systems, especially for remote access, privileged accounts, and cloud applications.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1098.001 | Additional Cloud Credentials Sub-technique | Use multi-factor authentication for user and privileged accounts. Consider enforcing multi-factor authentication for the |
| Enterprise | T1040 | Network Sniffing | Use multi-factor authentication wherever possible. |
| Enterprise | T1136.001 | Local Account Sub-technique | Use multi-factor authentication for user and privileged accounts. |
| Enterprise | T1669 | Wi-Fi Networks | Harden access requirements for Wi-Fi networks through using two or more pieces of evidence to authenticate, such as a username and password in addition to a token from a physical smart card or token generator. |
| Enterprise | T1556.003 | Pluggable Authentication Modules Sub-technique | Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. |
| Enterprise | T1556 | Modify Authentication Process | Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs. |
| Enterprise | T1213 | Data from Information Repositories | Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator. |
| Enterprise | T1599 | Network Boundary Bridging | Use multi-factor authentication for user and privileged accounts. Most embedded network devices support TACACS+ and/or RADIUS. Follow vendor prescribed best practices for hardening access control.CitationCisco IOS Software Integrity Assurance - TACACS |
| Enterprise | T1114 | Email Collection | Use of multi-factor authentication for public-facing webmail servers is a recommended best practice to minimize the usefulness of usernames and passwords to adversaries. |
| Enterprise | T1621 | Multi-Factor Authentication Request Generation | Implement more secure 2FA/MFA mechanisms in replacement of simple push or one-click 2FA/MFA options. For example, having users enter a one-time code provided by the login screen into the 2FA/MFA application or utilizing other out-of-band 2FA/MFA mechanisms (such as rotating code-based hardware tokens providing rotating codes that need an accompanying user pin) may be more secure. Furthermore, change default configurations and implement limits upon the maximum number of 2FA/MFA request prompts that can be sent to users in period of time.CitationMFA Fatigue Attacks - PortSwigger |
| Enterprise | T1078.001 | Default Accounts Sub-technique | Implement multi-factor authentication (MFA) for default accounts whenever possible to prevent unauthorized access, even if credentials for these accounts are compromised. MFA adds an additional layer of security that requires more than just a username and password, making it significantly harder for adversaries to exploit these accounts for initial access or lateral movement. |
| Enterprise | T1601 | Modify System Image | Use multi-factor authentication for user and privileged accounts. Most embedded network devices support TACACS+ and/or RADIUS. Follow vendor prescribed best practices for hardening access control.CitationCisco IOS Software Integrity Assurance - TACACS |
| Enterprise | T1078.002 | Domain Accounts Sub-technique | Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs. |
| Enterprise | T1136.002 | Domain Account Sub-technique | Use multi-factor authentication for user and privileged accounts. |
| Enterprise | T1136.003 | Cloud Account Sub-technique | Use multi-factor authentication for user and privileged accounts. |
| Enterprise | T1078.003 | Local Accounts Sub-technique | Enable multi-factor authentication (MFA) for local accounts to add an extra layer of protection against credential theft and misuse. MFA can be implemented using methods like mobile-based authenticators or hardware tokens, even in environments that do not rely on domain controllers or cloud services. This additional security measure can help reduce the risk of adversaries gaining unauthorized access to local systems and resources. |
| Enterprise | T1098.005 | Device Registration Sub-technique | Require multi-factor authentication to register devices in Entra ID.CitationMicrosoft - Device Registration Configure multi-factor authentication systems to disallow enrolling new devices for inactive accounts.CitationCISA MFA PrintNightmare When first enrolling MFA, use conditional access policies to restrict device enrollment to trusted locations or devices, and consider using temporary access passes as an initial MFA solution to enroll a device.CitationMandiant APT29 Microsoft 365 2022 |
| Enterprise | T1110.003 | Password Spraying Sub-technique | Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services. |
| Enterprise | T1078.004 | Cloud Accounts Sub-technique | Use multi-factor authentication for cloud accounts, especially privileged accounts. This can be implemented in a variety of forms (e.g. hardware, virtual, SMS), and can also be audited using administrative reporting features.CitationAWS - IAM Console Best Practices |
| Enterprise | T1601.002 | Downgrade System Image Sub-technique | Use multi-factor authentication for user and privileged accounts. Most embedded network devices support TACACS+ and/or RADIUS. Follow vendor prescribed best practices for hardening access control.CitationCisco IOS Software Integrity Assurance - TACACS |
| Enterprise | T1098 | Account Manipulation | Use multi-factor authentication for user and privileged accounts. |
| Enterprise | T1556.007 | Hybrid Identity Sub-technique | Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs. |
| Enterprise | T1021.004 | SSH Sub-technique | Require multi-factor authentication for SSH connections wherever possible, such as password protected SSH keys. |
| Enterprise | T1539 | Steal Web Session Cookie | Deploy hardware-based token (e.g., YubiKey or FIDO key), which incorporates the target login domain as part of the negotiation protocol, will prevent session cookie theft through proxy methods. Implement Conditional Access policies to only allow logins from trusted devices, such as those enrolled in Intune or joined via Hybrid/Entra. This mitigates the risk of session cookie replay attacks by ensuring that stolen tokens cannot be reused on unauthorized devices. |
| Enterprise | T1599.001 | Network Address Translation Traversal Sub-technique | Use multi-factor authentication for user and privileged accounts. Most embedded network devices support TACACS+ and/or RADIUS. Follow vendor prescribed best practices for hardening access control. CitationCisco IOS Software Integrity Assurance - TACACS |
| Enterprise | T1098.003 | Additional Cloud Roles Sub-technique | Use multi-factor authentication for user and privileged accounts. |
| Enterprise | T1110.001 | Password Guessing Sub-technique | Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services. |
| Enterprise | T1114.002 | Remote Email Collection Sub-technique | Use of multi-factor authentication for public-facing webmail servers is a recommended best practice to minimize the usefulness of usernames and passwords to adversaries. |
| Enterprise | T1199 | Trusted Relationship | Require MFA for all delegated administrator accounts.CitationMicrosoft Nobelium Admin Privileges |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | Use multi-factor authentication for remote logins.CitationBerkley Secure |
| Enterprise | T1078 | Valid Accounts | Implement multi-factor authentication (MFA) across all account types, including default, local, domain, and cloud accounts, to prevent unauthorized access, even if credentials are compromised. MFA provides a critical layer of security by requiring multiple forms of verification beyond just a password. This measure significantly reduces the risk of adversaries abusing valid accounts to gain initial access, escalate privileges, maintain persistence, or evade defenses within your network. |
| Enterprise | T1136 | Create Account | Use multi-factor authentication for user and privileged accounts. |
| Enterprise | T1556.001 | Domain Controller Authentication Sub-technique | Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs. |
| Enterprise | T1485 | Data Destruction | Implement multi-factor authentication (MFA) delete for cloud storage resources, such as AWS S3 buckets, to prevent unauthorized deletion of critical data and infrastructure. MFA delete requires additional authentication steps, making it significantly more difficult for adversaries to destroy data without proper credentials. This additional security layer helps protect against the impact of data destruction in cloud environments by ensuring that only authenticated actions can irreversibly delete storage or machine images. |
| Enterprise | T1098.006 | Additional Container Cluster Roles Sub-technique | Require multi-factor authentication for user accounts integrated into container clusters through cloud deployments or via authentication protocols such as LDAP or SAML. |
| Enterprise | T1021.007 | Cloud Services Sub-technique | Use multi-factor authentication on cloud services whenever possible. |
| Enterprise | T1072 | Software Deployment Tools | Ensure proper system and access isolation for critical network systems through use of multi-factor authentication. |
| Enterprise | T1110 | Brute Force | Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services. |
| Enterprise | T1110.004 | Credential Stuffing Sub-technique | Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services. |
| Enterprise | T1110.002 | Password Cracking Sub-technique | Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services. |
| Enterprise | T1021 | Remote Services | Use multi-factor authentication on remote service logons where possible. |
| Enterprise | T1133 | External Remote Services | Use strong two-factor or multi-factor authentication for remote service accounts to mitigate an adversary's ability to leverage stolen credentials, but be aware of Multi-Factor Authentication Interception techniques for some two-factor authentication implementations. |
| Enterprise | T1098.002 | Additional Email Delegate Permissions Sub-technique | Use multi-factor authentication for user and privileged accounts. |
| Enterprise | T1556.006 | Multi-Factor Authentication Sub-technique | Ensure that MFA and MFA policies and requirements are properly implemented for existing and deactivated or dormant accounts and devices. If possible, consider configuring MFA solutions to "fail closed" rather than grant access in case of serious errors. |
| Enterprise | T1530 | Data from Cloud Storage | Consider using multi-factor authentication to restrict access to resources and cloud storage APIs.CitationAmazon S3 Security, 2019 |
| Enterprise | T1601.001 | Patch System Image Sub-technique | Use multi-factor authentication for user and privileged accounts. Most embedded network devices support TACACS+ and/or RADIUS. Follow vendor prescribed best practices for hardening access control.CitationCisco IOS Software Integrity Assurance - TACACS |
| Enterprise | T1213.003 | Code Repositories Sub-technique | Use multi-factor authentication for logons to code repositories. |
| Enterprise | T1556.004 | Network Device Authentication Sub-technique | Use multi-factor authentication for user and privileged accounts. Most embedded network devices support TACACS+ and/or RADIUS. Follow vendor prescribed best practices for hardening access control. CitationCisco IOS Software Integrity Assurance - TACACS |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 2601d4cc2a2b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack M1032Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.