This article brings together common customer questions and practical answers based on typical Secureframe workflows, compliance situations and unique tech stacks.

It is meant as quick reference material for day-to-day use of the product.

MFA and second factors

Does MFA have to be applied at both the network and system/application levels?

• No, it does not have to be applied at both levels.

I lost access to my MFA device. How can I log in?

• If you’ve lost access to your MFA device, please contact Secureframe Support at support@secureframe.com. Our team can quickly help you reset your MFA so you can regain access to your account.

  If you are already on Live Chat simply ask to "speak with an agent" or "transfer to human" to get your MFA reset by one of our live agents after verification.

I need to change my MFA authenticator app, and can't find a setting to get a new key. How can I change my Multi-Factor Authentication (MFA) application?

• Our Customer Support team can easily assist.

  You can email support@secureframe.com or ask to "speak with an agent" and a live rep will assist after verification.

Is MFA recommended for all remote access to the entity’s networks?

• Yes, MFA is recommended for all remote access to the entity’s networks.

Is multi-factor authentication a hard requirement?

• Yes, MFA is a hard requirement and a best practice for ensuring secure access to systems.

Is using one factor twice considered multi-factor authentication?

• No, using one factor twice (for example, using two separate passwords) is not considered multi-factor authentication.

To whom does the requirement for MFA for non-console administrative access apply?

• It applies to all personnel with elevated or increased privileges accessing the CDE via a non-console connection.

To whom does the requirement for MFA for remote access originating from outside the entity’s network apply?

• It applies to all user accounts that can access the network remotely, where that remote access leads to or could lead to access into the CDE.

What are the requirements for MFA system implementation?

• The MFA system is not susceptible to replay attacks, cannot be bypassed by any users, at least two different types of authentication factors are used, and success of all authentication factors is required before access is granted.

What does multi-factor authentication (MFA) require?

• Multi-factor authentication (MFA) requires an individual to present a minimum of two of the three authentication factors specified in Requirement 8.3.1 before access is granted.

What is the deadline for implementing MFA as a requirement and not just a best practice?

• This requirement is a best practice until 31 March 2025, after which it will be required.

What is the purpose of configuring MFA systems to prevent misuse?

• Poorly configured MFA systems can be bypassed by attackers.

What is the purpose of multi-factor authentication (MFA)?

• Requiring more than one type of authentication factor reduces the probability that an attacker can gain access to a system by masquerading as a legitimate user.

What should happen with requests to bypass MFA?

• ny requests to bypass MFA are specifically documented and authorized by management on an exception basis, for a limited time period.

What types of system components do the MFA requirements apply to?

• The MFA requirements apply for all types of system components, including cloud, hosted systems, and on-premises applications, network security devices, workstations, servers, and endpoints.

Where can I find more information about MFA systems and features?

• Refer to PCI SSC’s Information Supplement: Multi-Factor Authentication and PCI SSC’s () on this .

Why is the “Multi-factor authentication for cloud service providers” test classified as an integration test if MFA information cannot be automatically pulled?

• This MFA test is categorized as an integration test because MFA status can potentially be pulled automatically through SSO integrations such as Google Workspace, Azure AD, or Okta.

  However, not every cloud service provider integration supports this level of data retrieval today. In some cases — including this test — the platform may still show results when MFA info is available from a linked SSO provider, but otherwise will rely on manual evidence upload.

Additional customer questions

Gusto doesn't enforce password complexity requirements. What should we do?

• If Gusto’s settings meet the MFA/SSO requirements and password requirements, you can use them. If the auditor questions this, explain that you cannot configure them further. Additionally, if you have vendor documentation or something from Gusto support about not being able to configure passwords, that would work as well.