MFA01 MFA Not Enforced
What this means
SiteShadow flagged flows where MFA is missing, optional, or can be bypassed for accounts/actions that should require it (admin actions, billing, API key management).
Why it matters
- Account takeover becomes easier (especially with password reuse and phishing).
- Admin compromise is catastrophic: role changes, data exports, API key minting.
- MFA is often the difference between a failed attack and a breach.
Safer examples
1) Require MFA for admins and high-risk actions
Examples: billing changes, payouts, role changes, API key creation, SSO changes.
2) Use step-up authentication
Even if a user is logged in, require MFA re-check for sensitive operations.
3) Make recovery safe
Use recovery codes, secure device enrollment, and strong support verification to avoid MFA bypass via support.
How SiteShadow detects it (high level)
- Looks for sensitive/admin flows without an MFA requirement check nearby.
- Flags configuration patterns that explicitly disable MFA or mark it optional.
References
- OWASP Top 10: https://owasp.org/Top10/
---