IA-2 (11) - Remote Access - Separate Device

Control requirements

IA-2 (11) - 0

The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets [IBM Assignment: FIPS 140-2 level 2 capable or above or equivalent].

Implementation guidance

See the resources that follow to learn more about how to implement this control.

• IBM Cloud account setup

NIST supplemental guidance

For remote access to privileged/non-privileged accounts, the purpose of requiring a device that is separate from the information system gaining access for one of the factors during multifactor authentication is to reduce the likelihood of compromising authentication credentials stored on the system. For example, adversaries deploying malicious code on organizational information systems can potentially compromise such credentials resident on the system and subsequently impersonate authorized users.