CDP 35948458: Require Multi-Factor Authentication #14

New Issue

2026-04-16T08:16:46+02:00

Hartmut commented

2026-04-16 08:16:46 +02:00

CDP Control ID: 35948458
Category: Secure Application Development
Frequency: Annually
Owner: h.noerenberg
Parent: #1

Requirement & Guidance

Secure Application Development Requirement: All authentication to application/platform designed, developed and/or maintained by Accenture or Accenture's subcontractors must have multi-factor authentication enabled (MFA). Attachments Required (as applicable): Screenshot verifying login through MFA (Screenshot of Application access page - or VPN, VDI, Citrix, RDP, etc., and SSO showing the MFA solution in place) Guidance: Multi-factor authentication indicates multiple forms of identifying oneself to the application - from the list of three possible factors - what you know (username + passwords); what you have (tokens, smart cards); what you are (fingerprints, retina scans.). Additional information can be found on CDP website User Access Management and in the Identification and Authentication Standard, and Remote Console Access Security Standard.

**CDP Control ID:** `35948458` **Category:** Secure Application Development **Frequency:** Annually **Owner:** h.noerenberg **Parent:** #1 ## Requirement & Guidance Secure Application Development Requirement: All authentication to application/platform designed, developed and/or maintained by Accenture or Accenture's subcontractors must have multi-factor authentication enabled (MFA). Attachments Required (as applicable): Screenshot verifying login through MFA (Screenshot of Application access page - or VPN, VDI, Citrix, RDP, etc., and SSO showing the MFA solution in place) Guidance: Multi-factor authentication indicates multiple forms of identifying oneself to the application - from the list of three possible factors - what you know (username + passwords); what you have (tokens, smart cards); what you are (fingerprints, retina scans.). Additional information can be found on CDP website User Access Management and in the Identification and Authentication Standard, and Remote Console Access Security Standard.

Hartmut added the cdp security labels 2026-04-16 08:16:46 +02:00

Hartmut referenced this issue

2026-04-16 08:16:53 +02:00

CDP Compliance Epic — alle Controls #1

Hartmut commented

2026-04-16 08:32:38 +02:00

CapaKraken Action Plan — 35948458 Multi-Factor Authentication

Scope: MFA für alle Authentication-Flows (VPN, VDI, Citrix, RDP, App-Login, SSO).

Aktueller Stand:

docs/acn-security-compliance-status.md 3.2.2.2.01 OK — TOTP via otpauth, QR-Setup, Sign-in Integration

Todos:

MFA für ALLE User erzwingen (nicht nur Admins)
- SystemSetting mfaRequired: true als Default
- First-Login: MFA-Setup vor Dashboard-Zugriff
Backup-Codes implementieren (wenn nicht vorhanden)
Evidence: Screenshot des MFA-Enforcements + Admin-Report "% User mit MFA"

Dateien:

apps/web/src/app/(auth)/signin/*, packages/api/src/router/auth/mfa.ts

### CapaKraken Action Plan — 35948458 Multi-Factor Authentication **Scope:** MFA für alle Authentication-Flows (VPN, VDI, Citrix, RDP, App-Login, SSO). **Aktueller Stand:** - `docs/acn-security-compliance-status.md` 3.2.2.2.01 **OK** — TOTP via `otpauth`, QR-Setup, Sign-in Integration **Todos:** - [ ] MFA für ALLE User erzwingen (nicht nur Admins) - [ ] SystemSetting `mfaRequired: true` als Default - [ ] First-Login: MFA-Setup vor Dashboard-Zugriff - [ ] Backup-Codes implementieren (wenn nicht vorhanden) - [ ] Evidence: Screenshot des MFA-Enforcements + Admin-Report "% User mit MFA" **Dateien:** - `apps/web/src/app/(auth)/signin/*`, `packages/api/src/router/auth/mfa.ts`

Hartmut commented

2026-04-16 10:02:26 +02:00

CapaKraken Compliance-Status

EAPPS-Mapping: 3.2.2.2.01
Status: ✅ OK (laut docs/acn-security-compliance-status.md)

Zusammenfassung

TOTP-basierte MFA ist implementiert (RFC 6238 via otpauth), mit QR-Setup-Flow und Sign-in-Integration.

Nachweis

MFA-Setup-Component — apps/web/src/components/security/MfaSetup.tsx
MFA-Tests — packages/api/src/__tests__/user-self-service-mfa.test.ts
Auth-Integration — apps/web/src/server/auth.ts
Compliance-Doc: EAPPS 3.2.2.2.01 = OK

Hinweis (offener Restpunkt — separat zu tracken)

MFA ist aktuell optional pro User. Für Admin-/privilegierte Rollen ist Enforcement laut Detail-Checkliste #31 (Check: Multi factor authentication at least on sensitive transactions pages and for admin access) sinnvoll → als Follow-up in #31 tracken.

Entscheidung: Control ist nachweislich erfüllt → Ticket wird geschlossen.

## CapaKraken Compliance-Status **EAPPS-Mapping:** `3.2.2.2.01` **Status:** ✅ **OK** (laut `docs/acn-security-compliance-status.md`) ### Zusammenfassung TOTP-basierte MFA ist implementiert (RFC 6238 via `otpauth`), mit QR-Setup-Flow und Sign-in-Integration. ### Nachweis - MFA-Setup-Component — [`apps/web/src/components/security/MfaSetup.tsx`](../blob/main/apps/web/src/components/security/MfaSetup.tsx) - MFA-Tests — [`packages/api/src/__tests__/user-self-service-mfa.test.ts`](../blob/main/packages/api/src/__tests__/user-self-service-mfa.test.ts) - Auth-Integration — [`apps/web/src/server/auth.ts`](../blob/main/apps/web/src/server/auth.ts) - Compliance-Doc: EAPPS 3.2.2.2.01 = **OK** ### Hinweis (offener Restpunkt — separat zu tracken) MFA ist **aktuell optional** pro User. Für Admin-/privilegierte Rollen ist Enforcement laut Detail-Checkliste #31 (Check: *Multi factor authentication at least on sensitive transactions pages and for admin access*) sinnvoll → als Follow-up in #31 tracken. --- **Entscheidung:** Control ist nachweislich erfüllt → Ticket wird geschlossen.

Hartmut closed this issue

2026-04-16 10:02:26 +02:00

Hartmut referenced this issue

2026-04-16 10:20:07 +02:00

CDP Compliance Epic — alle Controls #1

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: Hartmut/CapaKraken#14