Two-Factor Authentication Grace Period Should Not Be Longer Than One Week
policy name: group_allows_excessive_mfa_grace_period
severity: MEDIUM
Description
New members added to your group are allowed longer than a week to enable MFA. The time frame should be lowered to one week or less.
Threat Example(s)
Any new group membmer effectivly acts as an attack surface until two-factor authentication is enabled. The risk is compounded as new members may be more vulnerable to phising and identity theft attacks.
Remediation
- Go to the group page
- Press Settings -> General
- Expand “Permissions and group features”
- In the box titled: “Delay 2FA enforcement (hours)”, enter a number under 168 (preferably 0)
- Press “Save Changes”