Factor Strength Policies

Enterprise-grade MFA factor strength enforcement to address:

• Risk #10: Phishable factors (TOTP, SMS, email links, push approve)
• Risk #18: Weak factor combinations
• Risk #25: No phishing-resistant factor requirements

Features

• Factor Classification: Phishable vs phishing-resistant
• Risk-Based Selection: Require stronger factors for high-risk operations
• WebAuthn Enforcement: Mandatory for admins and sensitive operations
• Policy Engine: Per-tenant configurable policies
• Factor Strength Scoring: 0-100 scale
• User Warnings: Educate users about factor security
• Factor Promotion: Encourage WebAuthn adoption
• Compliance Tracking: NIST AAL alignment