MFA Factors FAQ

08/2024

Overview

Cisco Identity Intelligence (CII) collects MFA factor information from any available sources. This article addresses some frequently asked questions around MFA factor usage and classification.

MFA Factor Strength

CII categorizes different types of MFA factors by strength according to the guidelines set forth in the latest NIST 800-63B standard, specifically the Authenticator Assurance Levels (AAL).

In the chart below, shown the Dashboard, authenticators may have an assurance level of Low, Medium, or High, which corresponds to AAL 1, 2, and 3, respectively. A level of Unknown means that the identity source likely is using a 3rd party MFA provider or platform and the authenticator strength is not reported in the event details.

See the MFA Factor Strength Mapping list below for specific identity providers and factor types.

MFA Factor Status

User MFA factors may have a variety of statuses reported by the identity system. Most factors will typically show as ACTIVE or DISABLED.

Note that factors with a status of PENDING or PENDING_ACTIVIATION are NOT considered to be fully enrolled and activated factors, so a user with only these factor statuses (besides Password as a first factor) will fail the No MFA Configured check.

MFA Factor Strength Mapping

The list below provides the current factor mapping for each factor type encountered in the primary IDP and IAM systems.

Passkeys

Based on the recent NIST publication around Syncable Authenticators, more commonly known as Passkeys, which are capable of AAL2, CII classifies Passkeys as Medium strength.

Factor Strength Table

NOTE: Factor types, names, and other details reported by the IDP and IAM systems are constantly evolving and changing, so the actual user interface may differ slightly.


      ['AZURE_AD', 'alternateMobilePhone', undefined, AssuranceLevel.Low],
      ['AZURE_AD', 'appCode', undefined, AssuranceLevel.Medium],
      ['AZURE_AD', 'appNotification', undefined, AssuranceLevel.Medium],
      ['AZURE_AD', 'email', undefined, AssuranceLevel.Low],
      ['AZURE_AD', 'mobilePhone', undefined, AssuranceLevel.Low],
      ['AZURE_AD', 'officePhone', undefined, AssuranceLevel.Low],
      ['AZURE_AD', 'securityQuestion', undefined, AssuranceLevel.Low],
      ['AZURE_AD', 'microsoftAuthenticator', undefined, AssuranceLevel.Medium],
      ['AZURE_AD', 'password', undefined, AssuranceLevel.Low],
      ['AZURE_AD', 'phone', undefined, AssuranceLevel.Low],
      ['AZURE_AD', 'softwareOath', undefined, AssuranceLevel.Medium],
      ['AZURE_AD', 'windowsHelloForBusiness', undefined, AssuranceLevel.High],
      ['AZURE_AD', '509 Certificate', undefined, AssuranceLevel.High],
      ['AZURE_AD', 'Other', undefined, AssuranceLevel.Unknown],
      ['AZURE_AD', 'microsoftAuthenticatorPasswordless', undefined, AssuranceLevel.High],
      ['AZURE_AD', 'mobileAppNotification', undefined, AssuranceLevel.Medium],
      ['AZURE_AD', 'temporaryAccessPass', undefined, AssuranceLevel.Low],
      ['AZURE_AD', 'QR code', undefined, AssuranceLevel.Medium],
      ['AZURE_AD', 'fido2', undefined, AssuranceLevel.High],
      ['AZURE_AD', 'platformCredentialAuthenticationMethod', undefined, AssuranceLevel.Unknown],
      ['CUSTOM', 'claims_provider', 'BeyondID_MFA', AssuranceLevel.Unknown],
      ['CUSTOM', 'claims_provider', 'Duo OIDC MFA', AssuranceLevel.Unknown],
      ['CUSTOM', 'token:hotp', 'Feitian Hardware TOTP', AssuranceLevel.Unknown],
      ['DEL_OATH', 'token', 'On-Prem MFA', AssuranceLevel.Unknown],
      ['DUO', 'd1', undefined, AssuranceLevel.Medium],
      ['DUO', 'bypass_code', undefined, AssuranceLevel.Low],
      ['DUO', 'duo_mobile_passcode', undefined, AssuranceLevel.Medium],
      ['DUO', 'duo_push', undefined, AssuranceLevel.Medium],
      ['DUO', 'phone_call', undefined, AssuranceLevel.Low],
      ['DUO', 'Passkey', undefined, AssuranceLevel.Medium],
      ['DUO', 'Platform_authenticator_(2fa)', undefined, AssuranceLevel.Medium],
      ['DUO', 'Platform_authenticator_(passwordless)', undefined, AssuranceLevel.High],
      ['DUO', 'Security_Key', undefined, AssuranceLevel.High],
      ['DUO', 'sms_passcode', undefined, AssuranceLevel.Low],
      ['DUO', 'Touch_ID', undefined, AssuranceLevel.High],
      ['DUO', 'u2ftoken', undefined, AssuranceLevel.High],
      ['DUO', 'web', 'DUO', AssuranceLevel.Unknown],
      ['DUO', 'WebAuthn_Chrome_Touch_ID', 'DUO', AssuranceLevel.High],
      ['DUO', 'yk', 'DUO', AssuranceLevel.High],
      ['DUO', 'verified_duo_push', undefined, AssuranceLevel.Medium],
      ['FIDO', 'webauthn', 'YubiKey 5', AssuranceLevel.High],
      ['FIDO', 'webauthn', 'Windows Hello Software Authenticator', AssuranceLevel.High],
      ['FIDO', 'webauthn', 'FIDO', AssuranceLevel.High],
      ['FIDO', 'webauthn', 'MacBook Touch ID', AssuranceLevel.High],
      ['FIDO', 'webauthn', undefined, AssuranceLevel.High],
      ['GOOGLE', 'google_otp', 'Google Authenticator', AssuranceLevel.Medium],
      ['GOOGLE', 'token:software:totp', 'GOOGLE', AssuranceLevel.Medium],
      ['GOOGLE', 'token:software:totp', undefined, AssuranceLevel.Medium],
      ['GUARDIAN', 'push', undefined, AssuranceLevel.Unknown],
      ['GUARDIAN', 'totp', undefined, AssuranceLevel.Unknown],
      ['GUARDIAN', 'webauthn-platform', undefined, AssuranceLevel.Unknown],
      ['OKTA', 'call', 'OKTA', AssuranceLevel.Low],
      ['OKTA', 'duo', 'Duo Security', AssuranceLevel.Unknown],
      ['OKTA', 'email', 'Email', AssuranceLevel.Low],
      ['OKTA', 'email', undefined, AssuranceLevel.Low],
      ['OKTA', 'google_otp', 'Google Authenticator', AssuranceLevel.Medium],
      ['OKTA', 'okta_email', 'Email', AssuranceLevel.Low],
      ['OKTA', 'okta_password', 'Password', AssuranceLevel.Low],
      ['OKTA', 'okta_verify', 'Okta Verify', AssuranceLevel.Medium],
      ['OKTA', 'password', 'Password', AssuranceLevel.Low],
      ['OKTA', 'push', 'OKTA', AssuranceLevel.Medium],
      ['OKTA', 'push', 'Okta Verify', AssuranceLevel.Medium],
      ['OKTA', 'push', undefined, AssuranceLevel.Medium],
      ['OKTA', 'question', 'OKTA', AssuranceLevel.Low],
      ['OKTA', 'security_question', 'Security Question', AssuranceLevel.Low],
      ['OKTA', 'signed_nonce', 'Okta Verify', AssuranceLevel.High],
      ['OKTA', 'sms', 'OKTA', AssuranceLevel.Low],
      ['OKTA', 'sms', undefined, AssuranceLevel.Low],
      ['OKTA', 'token:software:totp', 'OKTA', AssuranceLevel.Medium],
      ['OKTA', 'token:software:totp', undefined, AssuranceLevel.Medium],
      ['OKTA', 'webauthn', 'Security Key By Yubico with NFC', AssuranceLevel.High],
      ['OKTA', 'webauthn', 'YubiKey 5Ci', AssuranceLevel.High],
      ['OKTA', 'yubikey_token', 'Yubikey', AssuranceLevel.High],
      ['YUBICO', 'token:hardware', 'YUBICO', AssuranceLevel.High],
      ['YUBICO', 'token:hardware', undefined, AssuranceLevel.High],
      ['AZURE_AD', 'Other', undefined, AssuranceLevel.Unknown],
      ['AZURE_AD', 'platformCredentialAuthenticationMethod', undefined, AssuranceLevel.Unknown],
      ['AZURE_AD', 'SMS Sign-in', undefined, AssuranceLevel.Low],
      ['AZURE_AD', 'Temporary Access Pass', undefined, AssuranceLevel.Low],
      ['CLAIMS', 'external_idp', 'DUO OIDC MFA', AssuranceLevel.Unknown],
      ['CLAIMS', 'claims_provider', undefined, AssuranceLevel.Unknown],
      ['DUO', 'duo', 'Duo Security', AssuranceLevel.Unknown],
      ['DUO', 'h6', undefined, AssuranceLevel.Unknown],
      ['DUO', 'web', undefined, AssuranceLevel.Unknown],
      ['FIDO', 'webauthn', 'Security Key By Yubico', AssuranceLevel.High],
      ['HOTP', 'otp', 'FEITIAN c200 Token', AssuranceLevel.Medium],
      ['HOTP', 'otp', 'Legacy TOTP Token', AssuranceLevel.Medium],
      ['OKTA', 'call', undefined, AssuranceLevel.Low],
      ['OKTA', 'custom_otp', 'FEITIAN c200 Token', AssuranceLevel.Medium],
      ['OKTA', 'custom_otp', 'Token2 C105', AssuranceLevel.Medium],
      ['OKTA', 'duo', 'Duo Security', AssuranceLevel.Unknown],
      ['OKTA', 'external_idp', 'DUO OIDC MFA', AssuranceLevel.Unknown],
      ['OKTA', 'phone_number', 'Phone', AssuranceLevel.Low],
      ['OKTA', 'question', undefined, AssuranceLevel.Low],
      ['OKTA', 'security_question', 'Security Question For MFA', AssuranceLevel.Low],
      ['OKTA', 'signed_nonce', undefined, AssuranceLevel.High],
      ['OKTA', 'signed_nonce', 'OKTA', AssuranceLevel.High],
      ['OKTA', 'sms', 'Phone', AssuranceLevel.Low],
      ['OKTA', 'webauthn', 'YubiKey 5 FIPS', AssuranceLevel.High],
      ['OKTA', 'webauthn', 'YubiKey 5 FIPS with NFC', AssuranceLevel.High],
      ['OKTA', 'yubikey_token', 'YubiKey Authenticator', AssuranceLevel.High],
      ['YUBIKEY', 'otp', 'YubiKey Authenticator', AssuranceLevel.Medium]

PreviousUnderstanding HRIS Data and SCIM NextPublic API

Last updated 2 months ago