# MFA FAQ

## Overview

Cisco Identity Intelligence (CII) collects MFA factor information from any available sources. \
\
This article addresses some frequently asked questions around MFA factor usage and classification. 

## MFA Factor Strength

CII categorizes different types of MFA factors by strength according to the guidelines set forth in the latest NIST 800-63B standard, specifically the [Authenticator Assurance Levels](https://pages.nist.gov/800-63-3-Implementation-Resources/63B/AAL/) (AAL).  

In the chart below, shown the Dashboard, authenticators may have an assurance level of Low, Medium, or High, which corresponds to AAL 1, 2, and 3, respectively.  \
\
A level of `Unknown` means that the identity source likely is using a 3rd party MFA provider or platform and the authenticator strength is not reported in the event details. 

See the [#mfa-factor-strength-mapping](#mfa-factor-strength-mapping "mention") list below for specific identity providers and factor types. 

<figure><img src="https://582105988-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqPSBzsjxd7KYg9DNVZ4l%2Fuploads%2FWoVUZNIj7r52MAzCkyBA%2Fimage.png?alt=media&#x26;token=0f5160b8-016a-476d-886d-d5fc0765531c" alt=""><figcaption></figcaption></figure>

## MFA Factor Status

User MFA factors may have a variety of statuses reported by the identity system.  Most factors will typically show as `ACTIVE` or `DISABLED`. &#x20;

Note that factors with a status of PENDING or `PENDING_ACTIVIATION` are NOT considered to be fully enrolled and activated factors, so a user with only these factor statuses (besides `Password` as a first factor) will fail the [No MFA Configured](https://docs.oort.io/understanding-check-failures/oort-insights/identity-posture-management-insights/no-mfa-configured) check.  <br>

<figure><img src="https://582105988-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FqPSBzsjxd7KYg9DNVZ4l%2Fuploads%2FfhZUtsf0IfZY1uLDiIZP%2Fimage.png?alt=media&#x26;token=63147e65-74b9-4895-a9a0-7a80a8ec4e5f" alt=""><figcaption></figcaption></figure>

## MFA Factor Strength Mapping

The list below provides the current factor mapping for each factor type encountered in the primary IDP and IAM systems.

### Passkeys

Based on the recent [NIST publication around Syncable Authenticators](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63Bsup1.pdf), more commonly known as Passkeys, which are capable of AAL2, CII classifies Passkeys as `Medium` strength.&#x20;

### Factor Strength Table

NOTE: Factor types, names, and other details reported by the IDP and IAM systems are constantly evolving and changing, so the actual user interface may differ slightly.&#x20;

```

      ['AZURE_AD', 'alternateMobilePhone', undefined, AssuranceLevel.Low],
      ['AZURE_AD', 'appCode', undefined, AssuranceLevel.Medium],
      ['AZURE_AD', 'appNotification', undefined, AssuranceLevel.Medium],
      ['AZURE_AD', 'email', undefined, AssuranceLevel.Low],
      ['AZURE_AD', 'mobilePhone', undefined, AssuranceLevel.Low],
      ['AZURE_AD', 'officePhone', undefined, AssuranceLevel.Low],
      ['AZURE_AD', 'securityQuestion', undefined, AssuranceLevel.Low],
      ['AZURE_AD', 'microsoftAuthenticator', undefined, AssuranceLevel.Medium],
      ['AZURE_AD', 'password', undefined, AssuranceLevel.Low],
      ['AZURE_AD', 'phone', undefined, AssuranceLevel.Low],
      ['AZURE_AD', 'softwareOath', undefined, AssuranceLevel.Medium],
      ['AZURE_AD', 'windowsHelloForBusiness', undefined, AssuranceLevel.High],
      ['AZURE_AD', '509 Certificate', undefined, AssuranceLevel.High],
      ['AZURE_AD', 'Other', undefined, AssuranceLevel.Unknown],
      ['AZURE_AD', 'microsoftAuthenticatorPasswordless', undefined, AssuranceLevel.High],
      ['AZURE_AD', 'mobileAppNotification', undefined, AssuranceLevel.Medium],
      ['AZURE_AD', 'temporaryAccessPass', undefined, AssuranceLevel.Low],
      ['AZURE_AD', 'QR code', undefined, AssuranceLevel.Medium],
      ['AZURE_AD', 'fido2', undefined, AssuranceLevel.High],
      ['AZURE_AD', 'platformCredentialAuthenticationMethod', undefined, AssuranceLevel.Unknown],
      ['CUSTOM', 'claims_provider', 'BeyondID_MFA', AssuranceLevel.Unknown],
      ['CUSTOM', 'claims_provider', 'Duo OIDC MFA', AssuranceLevel.Unknown],
      ['CUSTOM', 'token:hotp', 'Feitian Hardware TOTP', AssuranceLevel.Unknown],
      ['DEL_OATH', 'token', 'On-Prem MFA', AssuranceLevel.Unknown],
      ['DUO', 'd1', undefined, AssuranceLevel.Medium],
      ['DUO', 'bypass_code', undefined, AssuranceLevel.Low],
      ['DUO', 'duo_mobile_passcode', undefined, AssuranceLevel.Medium],
      ['DUO', 'duo_push', undefined, AssuranceLevel.Medium],
      ['DUO', 'phone_call', undefined, AssuranceLevel.Low],
      ['DUO', 'Passkey', undefined, AssuranceLevel.Medium],
      ['DUO', 'Platform_authenticator_(2fa)', undefined, AssuranceLevel.Medium],
      ['DUO', 'Platform_authenticator_(passwordless)', undefined, AssuranceLevel.High],
      ['DUO', 'Security_Key', undefined, AssuranceLevel.High],
      ['DUO', 'sms_passcode', undefined, AssuranceLevel.Low],
      ['DUO', 'Touch_ID', undefined, AssuranceLevel.High],
      ['DUO', 'u2ftoken', undefined, AssuranceLevel.High],
      ['DUO', 'web', 'DUO', AssuranceLevel.Unknown],
      ['DUO', 'WebAuthn_Chrome_Touch_ID', 'DUO', AssuranceLevel.High],
      ['DUO', 'yk', 'DUO', AssuranceLevel.High],
      ['DUO', 'verified_duo_push', undefined, AssuranceLevel.Medium],
      ['FIDO', 'webauthn', 'YubiKey 5', AssuranceLevel.High],
      ['FIDO', 'webauthn', 'Windows Hello Software Authenticator', AssuranceLevel.High],
      ['FIDO', 'webauthn', 'FIDO', AssuranceLevel.High],
      ['FIDO', 'webauthn', 'MacBook Touch ID', AssuranceLevel.High],
      ['FIDO', 'webauthn', undefined, AssuranceLevel.High],
      ['GOOGLE', 'google_otp', 'Google Authenticator', AssuranceLevel.Medium],
      ['GOOGLE', 'token:software:totp', 'GOOGLE', AssuranceLevel.Medium],
      ['GOOGLE', 'token:software:totp', undefined, AssuranceLevel.Medium],
      ['GUARDIAN', 'push', undefined, AssuranceLevel.Unknown],
      ['GUARDIAN', 'totp', undefined, AssuranceLevel.Unknown],
      ['GUARDIAN', 'webauthn-platform', undefined, AssuranceLevel.Unknown],
      ['OKTA', 'call', 'OKTA', AssuranceLevel.Low],
      ['OKTA', 'duo', 'Duo Security', AssuranceLevel.Unknown],
      ['OKTA', 'email', 'Email', AssuranceLevel.Low],
      ['OKTA', 'email', undefined, AssuranceLevel.Low],
      ['OKTA', 'google_otp', 'Google Authenticator', AssuranceLevel.Medium],
      ['OKTA', 'okta_email', 'Email', AssuranceLevel.Low],
      ['OKTA', 'okta_password', 'Password', AssuranceLevel.Low],
      ['OKTA', 'okta_verify', 'Okta Verify', AssuranceLevel.Medium],
      ['OKTA', 'password', 'Password', AssuranceLevel.Low],
      ['OKTA', 'push', 'OKTA', AssuranceLevel.Medium],
      ['OKTA', 'push', 'Okta Verify', AssuranceLevel.Medium],
      ['OKTA', 'push', undefined, AssuranceLevel.Medium],
      ['OKTA', 'question', 'OKTA', AssuranceLevel.Low],
      ['OKTA', 'security_question', 'Security Question', AssuranceLevel.Low],
      ['OKTA', 'signed_nonce', 'Okta Verify', AssuranceLevel.High],
      ['OKTA', 'sms', 'OKTA', AssuranceLevel.Low],
      ['OKTA', 'sms', undefined, AssuranceLevel.Low],
      ['OKTA', 'token:software:totp', 'OKTA', AssuranceLevel.Medium],
      ['OKTA', 'token:software:totp', undefined, AssuranceLevel.Medium],
      ['OKTA', 'webauthn', 'Security Key By Yubico with NFC', AssuranceLevel.High],
      ['OKTA', 'webauthn', 'YubiKey 5Ci', AssuranceLevel.High],
      ['OKTA', 'yubikey_token', 'Yubikey', AssuranceLevel.High],
      ['YUBICO', 'token:hardware', 'YUBICO', AssuranceLevel.High],
      ['YUBICO', 'token:hardware', undefined, AssuranceLevel.High],
      ['AZURE_AD', 'Other', undefined, AssuranceLevel.Unknown],
      ['AZURE_AD', 'platformCredentialAuthenticationMethod', undefined, AssuranceLevel.Unknown],
      ['AZURE_AD', 'SMS Sign-in', undefined, AssuranceLevel.Low],
      ['AZURE_AD', 'Temporary Access Pass', undefined, AssuranceLevel.Low],
      ['CLAIMS', 'external_idp', 'DUO OIDC MFA', AssuranceLevel.Unknown],
      ['CLAIMS', 'claims_provider', undefined, AssuranceLevel.Unknown],
      ['DUO', 'duo', 'Duo Security', AssuranceLevel.Unknown],
      ['DUO', 'h6', undefined, AssuranceLevel.Unknown],
      ['DUO', 'web', undefined, AssuranceLevel.Unknown],
      ['FIDO', 'webauthn', 'Security Key By Yubico', AssuranceLevel.High],
      ['HOTP', 'otp', 'FEITIAN c200 Token', AssuranceLevel.Medium],
      ['HOTP', 'otp', 'Legacy TOTP Token', AssuranceLevel.Medium],
      ['OKTA', 'call', undefined, AssuranceLevel.Low],
      ['OKTA', 'custom_otp', 'FEITIAN c200 Token', AssuranceLevel.Medium],
      ['OKTA', 'custom_otp', 'Token2 C105', AssuranceLevel.Medium],
      ['OKTA', 'duo', 'Duo Security', AssuranceLevel.Unknown],
      ['OKTA', 'external_idp', 'DUO OIDC MFA', AssuranceLevel.Unknown],
      ['OKTA', 'phone_number', 'Phone', AssuranceLevel.Low],
      ['OKTA', 'question', undefined, AssuranceLevel.Low],
      ['OKTA', 'security_question', 'Security Question For MFA', AssuranceLevel.Low],
      ['OKTA', 'signed_nonce', undefined, AssuranceLevel.High],
      ['OKTA', 'signed_nonce', 'OKTA', AssuranceLevel.High],
      ['OKTA', 'sms', 'Phone', AssuranceLevel.Low],
      ['OKTA', 'webauthn', 'YubiKey 5 FIPS', AssuranceLevel.High],
      ['OKTA', 'webauthn', 'YubiKey 5 FIPS with NFC', AssuranceLevel.High],
      ['OKTA', 'yubikey_token', 'YubiKey Authenticator', AssuranceLevel.High],
      ['YUBIKEY', 'otp', 'YubiKey Authenticator', AssuranceLevel.Medium]
```