CMMCDocs.comMulti-factor authentication (MFA) is one of the most frequently discussed CMMC requirements, addressed primarily by IA.L2-3.5.3: "Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts." While any form of MFA satisfies the base requirement, the threat landscape demands more than the minimum.
MFA Factors Explained
Authentication factors fall into three categories: something you know (password, PIN), something you have (phone, security key, smart card), and something you are (fingerprint, face recognition). MFA requires at least two of these three categories. A password plus a PIN is NOT MFA — both are "something you know." A password plus a hardware token IS MFA.
Why SMS Is the Weakest Option
SMS-based one-time passwords (OTP) satisfy the CMMC requirement for MFA, but they are the weakest form. SMS messages can be intercepted through SIM swapping attacks, SS7 network vulnerabilities, and social engineering of mobile carriers. NIST SP 800-63B explicitly identifies SMS as a "restricted" authenticator due to these risks.
For defense contractors handling CUI, the risk of an adversary defeating SMS-based MFA is not theoretical. Nation-state actors have demonstrated the capability and willingness to target defense supply chain companies, and SIM swapping is well within their operational toolkit.
Better Alternatives
Authenticator apps (TOTP): Time-based one-time passwords generated by apps like Microsoft Authenticator, Google Authenticator, or Authy are significantly more secure than SMS. The codes are generated locally on the device and never transit the cellular network. However, TOTP codes can still be phished through real-time relay attacks.
Push notifications: Push-based MFA (Microsoft Authenticator push, Duo push) sends a prompt to the user's registered device. The user approves or denies the login attempt. This is more usable than TOTP but remains vulnerable to MFA fatigue attacks, where an attacker repeatedly triggers push prompts until the user accidentally approves one. Number matching features help mitigate this risk.
FIDO2/WebAuthn (hardware security keys): FIDO2 security keys (YubiKey, Google Titan, Feitian) provide the strongest authentication available. They are phishing-resistant by design — the key performs a cryptographic handshake with the legitimate service and will not authenticate to a fake site. FIDO2 keys cannot be remotely compromised, cannot be SIM-swapped, and do not rely on codes that can be phished.
Implementation Recommendations
For CMMC Level 2 compliance with genuine security value, implement FIDO2 security keys for all privileged accounts and as the primary MFA method for all users. Use authenticator app push with number matching as a secondary option for scenarios where hardware keys are impractical. Disable SMS-based MFA entirely if possible.
Deploy keys in pairs — each user gets a primary and a backup key. Register both keys with all services. Store the backup key in a secure location. Establish a process for lost key replacement that includes identity verification before issuing a new key.
The cost of FIDO2 keys ranges from $25 to $70 per key. For an organization with 100 users, deploying paired keys costs $5,000-$14,000 — a small investment compared to the cost of an account compromise that exposes CUI.