SOC 2

SOC 2 CC6.6: Multi-Factor Authentication Explained

Require multi-factor authentication for access to systems and data that support the entity's objectives, enforced organization-wide, not only for privileged users.

OFFICIAL REFERENCE (PARAPHRASED)

The entity implements logical access security measures to protect against unauthorized access, including multi-factor authentication where appropriate. (AICPA TSC CC6.6)

Last reviewed: June 2026. Not legal or audit advice.

WHAT EVIDENCE SATISFIES THIS

✓ Identity provider screenshot showing MFA enforced for all users
✓ MFA enrollment report with dates
✓ Authentication policy requiring MFA
✓ Exception register for any approved MFA exemptions

Cross-framework overlap

This control requirement also appears in:

ISO 27001 A.8.5 →
PCI-DSS 8.3 →

See this control in your personalized checklist

Start free →

See your readiness in 5 minutes

Answer a few questions and get a personalized, actionable checklist, free, no card.

Get your free checklist →