# MFA FAQ

## Overview

Cisco Identity Intelligence (CII) collects MFA factor information from any available sources. \
\
This article addresses some frequently asked questions around MFA factor usage and classification.&#x20;

## MFA Factor Strength

CII categorizes different types of MFA factors by strength according to the guidelines set forth in the latest NIST 800-63B standard, specifically the [Authenticator Assurance Levels](https://pages.nist.gov/800-63-3-Implementation-Resources/63B/AAL/) (AAL). &#x20;

In the chart below, shown the Dashboard, authenticators may have an assurance level of Low, Medium, or High, which corresponds to AAL 1, 2, and 3, respectively.  \
\
A level of `Unknown` means that the identity source likely is using a 3rd party MFA provider or platform and the authenticator strength is not reported in the event details.&#x20;

See the [#mfa-factor-strength-mapping](#mfa-factor-strength-mapping "mention") list below for specific identity providers and factor types.&#x20;

<figure><img src="/files/0IO8gUMfIN4FciIQXnac" alt=""><figcaption></figcaption></figure>

## MFA Factor Status

User MFA factors may have a variety of statuses reported by the identity system.  Most factors will typically show as `ACTIVE` or `DISABLED`. &#x20;

Note that factors with a status of PENDING or `PENDING_ACTIVIATION` are NOT considered to be fully enrolled and activated factors, so a user with only these factor statuses (besides `Password` as a first factor) will fail the [No MFA Configured](/understanding-check-failures/oort-insights/identity-posture-management-insights/no-mfa-configured.md) check.  <br>

<figure><img src="/files/HmyLgq04Tl3YjitJFfrz" alt=""><figcaption></figcaption></figure>

## MFA Factor Strength Mapping

The list below provides the current factor mapping for each factor type encountered in the primary IDP and IAM systems.

### Passkeys

Based on the recent [NIST publication around Syncable Authenticators](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63Bsup1.pdf), more commonly known as Passkeys, which are capable of AAL2, CII classifies Passkeys as `Medium` strength.&#x20;

### Factor Strength Table

NOTE: Factor types, names, and other details reported by the IDP and IAM systems are constantly evolving and changing, so the actual user interface may differ slightly.&#x20;

```

      ['AZURE_AD', 'alternateMobilePhone', undefined, AssuranceLevel.Low],
      ['AZURE_AD', 'appCode', undefined, AssuranceLevel.Medium],
      ['AZURE_AD', 'appNotification', undefined, AssuranceLevel.Medium],
      ['AZURE_AD', 'email', undefined, AssuranceLevel.Low],
      ['AZURE_AD', 'mobilePhone', undefined, AssuranceLevel.Low],
      ['AZURE_AD', 'officePhone', undefined, AssuranceLevel.Low],
      ['AZURE_AD', 'securityQuestion', undefined, AssuranceLevel.Low],
      ['AZURE_AD', 'microsoftAuthenticator', undefined, AssuranceLevel.Medium],
      ['AZURE_AD', 'password', undefined, AssuranceLevel.Low],
      ['AZURE_AD', 'phone', undefined, AssuranceLevel.Low],
      ['AZURE_AD', 'softwareOath', undefined, AssuranceLevel.Medium],
      ['AZURE_AD', 'windowsHelloForBusiness', undefined, AssuranceLevel.High],
      ['AZURE_AD', '509 Certificate', undefined, AssuranceLevel.High],
      ['AZURE_AD', 'Other', undefined, AssuranceLevel.Unknown],
      ['AZURE_AD', 'microsoftAuthenticatorPasswordless', undefined, AssuranceLevel.High],
      ['AZURE_AD', 'mobileAppNotification', undefined, AssuranceLevel.Medium],
      ['AZURE_AD', 'temporaryAccessPass', undefined, AssuranceLevel.Low],
      ['AZURE_AD', 'QR code', undefined, AssuranceLevel.Medium],
      ['AZURE_AD', 'fido2', undefined, AssuranceLevel.High],
      ['AZURE_AD', 'platformCredentialAuthenticationMethod', undefined, AssuranceLevel.Unknown],
      ['CUSTOM', 'claims_provider', 'BeyondID_MFA', AssuranceLevel.Unknown],
      ['CUSTOM', 'claims_provider', 'Duo OIDC MFA', AssuranceLevel.Unknown],
      ['CUSTOM', 'token:hotp', 'Feitian Hardware TOTP', AssuranceLevel.Unknown],
      ['DEL_OATH', 'token', 'On-Prem MFA', AssuranceLevel.Unknown],
      ['DUO', 'd1', undefined, AssuranceLevel.Medium],
      ['DUO', 'bypass_code', undefined, AssuranceLevel.Low],
      ['DUO', 'duo_mobile_passcode', undefined, AssuranceLevel.Medium],
      ['DUO', 'duo_push', undefined, AssuranceLevel.Medium],
      ['DUO', 'phone_call', undefined, AssuranceLevel.Low],
      ['DUO', 'Passkey', undefined, AssuranceLevel.Medium],
      ['DUO', 'Platform_authenticator_(2fa)', undefined, AssuranceLevel.Medium],
      ['DUO', 'Platform_authenticator_(passwordless)', undefined, AssuranceLevel.High],
      ['DUO', 'Security_Key', undefined, AssuranceLevel.High],
      ['DUO', 'sms_passcode', undefined, AssuranceLevel.Low],
      ['DUO', 'Touch_ID', undefined, AssuranceLevel.High],
      ['DUO', 'u2ftoken', undefined, AssuranceLevel.High],
      ['DUO', 'web', 'DUO', AssuranceLevel.Unknown],
      ['DUO', 'WebAuthn_Chrome_Touch_ID', 'DUO', AssuranceLevel.High],
      ['DUO', 'yk', 'DUO', AssuranceLevel.High],
      ['DUO', 'verified_duo_push', undefined, AssuranceLevel.Medium],
      ['FIDO', 'webauthn', 'YubiKey 5', AssuranceLevel.High],
      ['FIDO', 'webauthn', 'Windows Hello Software Authenticator', AssuranceLevel.High],
      ['FIDO', 'webauthn', 'FIDO', AssuranceLevel.High],
      ['FIDO', 'webauthn', 'MacBook Touch ID', AssuranceLevel.High],
      ['FIDO', 'webauthn', undefined, AssuranceLevel.High],
      ['GOOGLE', 'google_otp', 'Google Authenticator', AssuranceLevel.Medium],
      ['GOOGLE', 'token:software:totp', 'GOOGLE', AssuranceLevel.Medium],
      ['GOOGLE', 'token:software:totp', undefined, AssuranceLevel.Medium],
      ['GUARDIAN', 'push', undefined, AssuranceLevel.Unknown],
      ['GUARDIAN', 'totp', undefined, AssuranceLevel.Unknown],
      ['GUARDIAN', 'webauthn-platform', undefined, AssuranceLevel.Unknown],
      ['OKTA', 'call', 'OKTA', AssuranceLevel.Low],
      ['OKTA', 'duo', 'Duo Security', AssuranceLevel.Unknown],
      ['OKTA', 'email', 'Email', AssuranceLevel.Low],
      ['OKTA', 'email', undefined, AssuranceLevel.Low],
      ['OKTA', 'google_otp', 'Google Authenticator', AssuranceLevel.Medium],
      ['OKTA', 'okta_email', 'Email', AssuranceLevel.Low],
      ['OKTA', 'okta_password', 'Password', AssuranceLevel.Low],
      ['OKTA', 'okta_verify', 'Okta Verify', AssuranceLevel.Medium],
      ['OKTA', 'password', 'Password', AssuranceLevel.Low],
      ['OKTA', 'push', 'OKTA', AssuranceLevel.Medium],
      ['OKTA', 'push', 'Okta Verify', AssuranceLevel.Medium],
      ['OKTA', 'push', undefined, AssuranceLevel.Medium],
      ['OKTA', 'question', 'OKTA', AssuranceLevel.Low],
      ['OKTA', 'security_question', 'Security Question', AssuranceLevel.Low],
      ['OKTA', 'signed_nonce', 'Okta Verify', AssuranceLevel.High],
      ['OKTA', 'sms', 'OKTA', AssuranceLevel.Low],
      ['OKTA', 'sms', undefined, AssuranceLevel.Low],
      ['OKTA', 'token:software:totp', 'OKTA', AssuranceLevel.Medium],
      ['OKTA', 'token:software:totp', undefined, AssuranceLevel.Medium],
      ['OKTA', 'webauthn', 'Security Key By Yubico with NFC', AssuranceLevel.High],
      ['OKTA', 'webauthn', 'YubiKey 5Ci', AssuranceLevel.High],
      ['OKTA', 'yubikey_token', 'Yubikey', AssuranceLevel.High],
      ['YUBICO', 'token:hardware', 'YUBICO', AssuranceLevel.High],
      ['YUBICO', 'token:hardware', undefined, AssuranceLevel.High],
      ['AZURE_AD', 'Other', undefined, AssuranceLevel.Unknown],
      ['AZURE_AD', 'platformCredentialAuthenticationMethod', undefined, AssuranceLevel.Unknown],
      ['AZURE_AD', 'SMS Sign-in', undefined, AssuranceLevel.Low],
      ['AZURE_AD', 'Temporary Access Pass', undefined, AssuranceLevel.Low],
      ['CLAIMS', 'external_idp', 'DUO OIDC MFA', AssuranceLevel.Unknown],
      ['CLAIMS', 'claims_provider', undefined, AssuranceLevel.Unknown],
      ['DUO', 'duo', 'Duo Security', AssuranceLevel.Unknown],
      ['DUO', 'h6', undefined, AssuranceLevel.Unknown],
      ['DUO', 'web', undefined, AssuranceLevel.Unknown],
      ['FIDO', 'webauthn', 'Security Key By Yubico', AssuranceLevel.High],
      ['HOTP', 'otp', 'FEITIAN c200 Token', AssuranceLevel.Medium],
      ['HOTP', 'otp', 'Legacy TOTP Token', AssuranceLevel.Medium],
      ['OKTA', 'call', undefined, AssuranceLevel.Low],
      ['OKTA', 'custom_otp', 'FEITIAN c200 Token', AssuranceLevel.Medium],
      ['OKTA', 'custom_otp', 'Token2 C105', AssuranceLevel.Medium],
      ['OKTA', 'duo', 'Duo Security', AssuranceLevel.Unknown],
      ['OKTA', 'external_idp', 'DUO OIDC MFA', AssuranceLevel.Unknown],
      ['OKTA', 'phone_number', 'Phone', AssuranceLevel.Low],
      ['OKTA', 'question', undefined, AssuranceLevel.Low],
      ['OKTA', 'security_question', 'Security Question For MFA', AssuranceLevel.Low],
      ['OKTA', 'signed_nonce', undefined, AssuranceLevel.High],
      ['OKTA', 'signed_nonce', 'OKTA', AssuranceLevel.High],
      ['OKTA', 'sms', 'Phone', AssuranceLevel.Low],
      ['OKTA', 'webauthn', 'YubiKey 5 FIPS', AssuranceLevel.High],
      ['OKTA', 'webauthn', 'YubiKey 5 FIPS with NFC', AssuranceLevel.High],
      ['OKTA', 'yubikey_token', 'YubiKey Authenticator', AssuranceLevel.High],
      ['YUBIKEY', 'otp', 'YubiKey Authenticator', AssuranceLevel.Medium]
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.oort.io/how-to-guides/mfa-factors-faq.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.