Multi-Factor Authentication

Subjects who are issued Multi-Factor Authentication (MFA) tokens, whether software-based (such as Google Authenticator or Microsoft Authenticator) or hardware devices (like YubiKeys or FIDO2 devices), may retain access to systems if these tokens or devices are not deactivated upon their departure or role change.

When a subject leaves the organization or no longer needs access, failing to deactivate their MFA tokens allows them to continue authenticating to systems, potentially bypassing security controls. If a subject’s software-based MFA token remains active, they can still generate valid authentication codes unless the token is unlinked or deactivated. Similarly, if a subject retains a hardware security key, they can use it to authenticate to services as if they were still an active user.

In environments using federated authentication (e.g., SAML, OAuth), a subject’s MFA token can provide access to multiple interconnected services, allowing them to authenticate to systems they should no longer be able to access. This opens the possibility of unauthorized access even after the subject has left the organization.

To prevent this, organizations must promptly deactivate MFA tokens when subjects are removed from the network. Automating the deactivation process and regularly auditing active tokens will help close any gaps in access control. Additionally, securely managing backup MFA keys ensures that no unauthorized individual can reuse them.