Strong Authentication
Description
Authentication to system components in the CDE must use strong methods: minimum 12-char passwords, complexity requirements, MFA for all user access.
⚠️ Risk Impact
Weak authentication is the dominant breach entry point. Passwords + missing MFA enable credential stuffing, brute force, and phishing-based account compromise.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.
🔧 Remediation
Enforce 12+ char passwords with complexity. Universal MFA. Phishing-resistant MFA (passkeys/WebAuthn) for admin access. Federation through IdP.
💀 Real-World Attack Scenario
A merchant's CDE admin console used 8-char passwords + SMS MFA. SMS MFA was bypassed via SIM swapping. Combined with credential stuffing from a leaked breach, attacker achieved valid admin login. Exfiltrated 280K card records before detection.
💰 Cost of Non-Compliance
Weak-auth breaches: avg $4.45M (IBM 2024).
📋 Audit Questions
- 1.Password policy enforced?
- 2.MFA universal?
- 3.Phishing-resistant MFA for admin?
- 4.Federation through IdP?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔SMS MFA only
- ⛔Password policy without MFA
- ⛔Different policies in CDE vs non-CDE — adversaries pivot through weaker environments
📈 Business Value
Strong authentication is the highest-ROI single control.
⏱️ Effort Estimate
Universal MFA rollout effort
EchelonGraph audits MFA enforcement across cloud + SaaS
🔗 Cross-Framework References
Automate PCI DSS 8.4 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →