Skill Wiki
Multi Factor Authentication Enforced
@security/check-multi-factor-authentication-enforced
$ prime install @security/check-multi-factor-authentication-enforcedProjection
Always in _index.xml · the agent never has to ask for this.
MultiFactorAuthenticationEnforced [check] v0.1.0
Loaded when retrieval picks the atom as adjacent / supporting.
MultiFactorAuthenticationEnforced [check] v0.1.0
Label
MFA required for privileged accounts and high-risk actions
Assertion
Administrative accounts, accounts with access to PII or financial data, and high-risk user actions (password change, MFA reset, payout, data export) require a second factor in addition to the password. The second factor is phishing-resistant where feasible (WebAuthn / passkeys / hardware token); SMS OTP is a fallback, not a primary.
Evidence
- Login flow requires the second factor for any account in a 'privileged' role; bypass paths (recovery email, SMS reset) themselves require MFA or are throttled and alerted.
- WebAuthn / FIDO2 supported as the preferred second factor for new enrolments.
- SMS-only MFA is flagged as legacy and migration is planned; voice-call MFA is disabled.
- MFA cannot be silently disabled by an attacker who controls the password — disabling MFA itself requires re-authentication with the existing second factor.
Failure Mode
An attacker who phishes or buys the password gains full account access. MFA-via-SMS specifically falls to SIM-swap and SS7 interception.
Loaded when retrieval picks the atom as a focal / direct hit.
MultiFactorAuthenticationEnforced [check] v0.1.0
Label
MFA required for privileged accounts and high-risk actions
Assertion
Administrative accounts, accounts with access to PII or financial data, and high-risk user actions (password change, MFA reset, payout, data export) require a second factor in addition to the password. The second factor is phishing-resistant where feasible (WebAuthn / passkeys / hardware token); SMS OTP is a fallback, not a primary.
Evidence
- Login flow requires the second factor for any account in a 'privileged' role; bypass paths (recovery email, SMS reset) themselves require MFA or are throttled and alerted.
- WebAuthn / FIDO2 supported as the preferred second factor for new enrolments.
- SMS-only MFA is flagged as legacy and migration is planned; voice-call MFA is disabled.
- MFA cannot be silently disabled by an attacker who controls the password — disabling MFA itself requires re-authentication with the existing second factor.
Failure Mode
An attacker who phishes or buys the password gains full account access. MFA-via-SMS specifically falls to SIM-swap and SS7 interception.
Rationale
Credential stuffing, phishing, and password reuse compromise single-factor accounts daily. A second factor makes the bulk of these attacks fail even when the password is known to the attacker.
Label
MFA required for privileged accounts and high-risk actions
Assertion
Administrative accounts, accounts with access to PII or financial data, and high-risk user actions (password change, MFA reset, payout, data export) require a second factor in addition to the password. The second factor is phishing-resistant where feasible (WebAuthn / passkeys / hardware token); SMS OTP is a fallback, not a primary.
Evidence
- Login flow requires the second factor for any account in a 'privileged' role; bypass paths (recovery email, SMS reset) themselves require MFA or are throttled and alerted.
- WebAuthn / FIDO2 supported as the preferred second factor for new enrolments.
- SMS-only MFA is flagged as legacy and migration is planned; voice-call MFA is disabled.
- MFA cannot be silently disabled by an attacker who controls the password — disabling MFA itself requires re-authentication with the existing second factor.
Failure Mode
An attacker who phishes or buys the password gains full account access. MFA-via-SMS specifically falls to SIM-swap and SS7 interception.
Source
prime-system/examples/security-appsec/primes/compiled/@security/check-multi-factor-authentication-enforced/atom.yaml