Use multi-factor authentication for local and network access to privileged accounts and for network access to nonprivileged accounts.

The traditional authentication uses a single factor, typically a password. Multifactor authentication requires that a second factor also be used. Examples includes a PIN from a mobile or bio metric fingerprint. Multifactor authentication significantly reduces the likely hood of an attacker being able to gain access to your accounts. You need to protect accounts accessed over the network with Multifactor authentication. Network Access means access to a system by a user communicating through a network (e.g., local area network, wide area network, internet). You need to protect privileged local accounts with MFA. Local access means access to a system by a use communicating through a direct connection without the use of a network. An example is the local admin account on laptop.

Implement a multi-factor authentication in your environment. If you use active directory sync it with your Multi-factor authentication (MFA) solution. Any logons occurring over a network need to be protected with MFA. Below are a few common examples: If users are logging into their workstations using their active directory account then setup MFA on the workstation. If employees use a local non-privileged account to log into their laptop then MFA is not required to protect the account however using MFA is always advised. If you have local admin accounts on your systems protect them with MFA. Protect all accounts used to access cloud services (e.g., Office 365) with MFA. Require MFA for remote VPN connections. Setup MFA for SSH connections.