1. Purpose
This policy requires multi-factor authentication for administrative and sensitive systems where supported, reducing the risk of unauthorized access caused by password compromise.
2. Scope
This policy applies to systems used to administer AFINCE, including hosting, databases, authentication providers, cloud consoles, code repositories, financial data provider dashboards, support tools, analytics, and production monitoring.
3. Requirements
- Administrative accounts must use MFA where supported.
- Privileged accounts should use app-based authenticators, hardware keys, passkeys, or platform MFA when available.
- SMS-based MFA should be avoided for privileged accounts when stronger options are available.
- Recovery codes and backup methods must be stored securely and limited to authorized personnel.
4. User Accounts
AFINCE may support user-facing MFA, passkeys, or provider-based authentication depending on platform capabilities. Users are encouraged to secure their email, device, Apple/Google account, and financial institution accounts with strong authentication.
5. Recovery and Reset
MFA resets for administrative accounts require identity verification and administrator approval. Lost-device recovery should be logged where practical.
6. Exceptions
Temporary exceptions may be approved only when MFA is unavailable or operationally blocked. Exceptions should be documented, time-limited, and removed as soon as practical.
7. Review
MFA coverage should be reviewed when new systems are added, when access roles change, and during periodic access reviews.