Episode 20 — Require strong multifactor authentication across all users
This episode focuses on multifactor authentication in a way the ISA exam expects, including where MFA is required, what counts as a factor, and how implementation details determine whether the control is actually effective. You’ll define MFA, then apply it to common PCI-relevant pathways such as administrative access to systems in scope, remote access into environments that can impact the CDE, and access to consoles, hypervisors, and cloud control planes. We’ll discuss strong and weak implementations, including the risks of fallback methods, inconsistent coverage, shared accounts, and “MFA only on VPN” designs that miss other entry points. You’ll learn how to validate MFA through evidence such as identity provider policies, conditional access rules, system configurations, and authentication logs that prove enforcement over time rather than during a single demo. Troubleshooting scenarios will include service accounts that can’t use interactive MFA, vendor access that bypasses central policy, and legacy systems that require compensating controls, so you can explain compliant design options with clear reasoning. Produced by BareMetalCyber.com, where you’ll find more cyber audio courses, books, and information to strengthen your educational path. Also, if you want to stay up to date with the latest news, visit DailyCyber.News for a newsletter you can use, and a daily podcast you can commute with.
