Overview
Multi-Factor Authentication Enrollment is the process of registering a user with an approved second authentication factor to strengthen account access security. It ensures that all users accessing company systems are protected in accordance with SOC 2 CC6.1 logical access requirements.
Step-by-Step Process
Identify user requiring MFA
The IT Manager identifies a new or existing user who requires MFA based on onboarding, role change, or access review results. The output is a confirmed user account that must be enrolled in MFA before access is granted or continued.
Role: IT Manager
Verify user identity
The IT Manager or delegated IT staff verifies the user’s identity using the company’s standard identity verification method (e.g., HR onboarding record or internal ticket). The output is documented confirmation that the correct individual is being enrolled.
Role: IT Manager
Enable MFA requirement on account
The IT Manager configures the user account to require MFA in the identity provider or authentication tool. The output is an account setting that enforces MFA at next login.
Role: IT Manager
Guide user through MFA setup
The IT Manager provides instructions to the user to enroll an approved MFA method such as a mobile app or hardware token. The output is a successfully registered MFA factor linked to the user account.
Role: IT Manager
Confirm successful enrollment
The IT Manager confirms that the user can authenticate using both primary credentials and the MFA factor. The output is verification that MFA is functioning as intended.
Role: IT Manager
Retain enrollment evidence
The IT Manager captures and stores evidence of MFA enrollment in the compliance or ticketing system. The output is retrievable documentation to support SOC 2 audit requests.
Role: IT Manager
What You Need Before Starting
- Approved user account in identity system
- Access to MFA administration console (Okta, Duo, or equivalent)
- User contact information or onboarding ticket
- Company MFA policy or access control standard
Evidence Your Auditor Expects
- Screenshot dated with timestamp showing MFA enabled on the user account
- System log export showing MFA enrollment event with user ID and date
- Completed IT service ticket approving MFA enrollment with close date
- Screenshot of MFA factor list showing registered device and enrollment date
How This Looks In Your Tools
Okta
Log in to the Okta Admin Console and navigate to Directory > People, then select the user to be enrolled. Under the “Security Methods” or “Factors” section, verify that MFA is required by policy and click “Reset Factors” if re-enrollment is needed.
Instruct the user to sign in to their Okta dashboard. The user will be prompted to enroll a factor such as Okta Verify by scanning the QR code. Confirm enrollment by refreshing the user profile and verifying the factor status shows as “Active” with a timestamp.
Duo
Log in to the Duo Admin Panel and go to Users, then select the relevant user or create the user if not present. Confirm that the user is assigned to a policy that enforces MFA.
Click “Add Device” and select the device type (e.g., Mobile Phone). Have the user complete activation via the Duo Mobile app. Verify enrollment by checking the device status and last authentication date in the user record.
Google Authenticator
Access the admin console or application where Google Authenticator is used (e.g., Google Workspace Admin > Security > Authentication). Enable 2-Step Verification for the user if it is not already enforced.
Have the user log in and scan the provided QR code using the Google Authenticator app. Confirm successful setup by validating that the user can generate time-based one-time passwords and that the enrollment date is visible in the admin view or audit logs.
Common Audit Findings
- MFA not enabled for all users
- This occurs when MFA is not enforced through global or group-based policies. Prevent it by applying mandatory MFA policies to all user groups and reviewing enforcement during onboarding.
- Missing evidence of MFA enrollment
- Auditors often find that MFA is enabled but not documented. Prevent this by capturing screenshots and logs immediately after enrollment and storing them in a centralized compliance repository.
- Shared or generic MFA devices
- Using shared devices weakens individual accountability. Prevent this by enforcing one-to-one assignment between users and MFA devices.
- MFA bypass settings enabled
- Temporary bypasses are sometimes left active indefinitely. Prevent this by setting expiration dates on bypasses and reviewing them regularly.