“Multi-factor authentication shall be used where technically possible, such as where administrative consoles provide access to manage cloud based infrastructure, platforms or services. Multi-factor authentication shall be used for access to enterprise level social media accounts ”
BUT.. existing Multi-factor Authentication (MFA) Products are weak!
According to NIST, “Out-of-Band” like SMS and Email or “OTP” like SecurID or Vasco need multiple other supporting techniques and therefore consume extra overhead and management costs -see NIST Digital Identity Guidelines on Authentication Products.
Use of a mobile phone to carry the authentication response may seem adequate but Users now want to use their own mobiles as the primary Client- so other than carrying a second phone, these existing Solutions will, ridiculously, become single factor Authentication!
CASQUE SNR is the only MFA certified at source code level by NCSC as suitable for Secret and is cheaper than traditional techniques. Why use MFAs that already have known weakness when you can use CASQUE SNR?