OpenCloud - MFA / Keycloak

necrevistonnezr

Just installed the hidden package. There’s no MFA which makes this not „state of the art“ (in a legal sense) and hence not usable for production.

MFA is mandatory according to:
EU

NIS2 Directive: Mandates MFA for "essential" and "important" entities (energy, health, digital providers, etc.) to ensure supply chain security.
DORA (Digital Operational Resilience Act): Requires strict identity management and MFA for the financial sector and its cloud service providers.
GDPR (General Data Protection Regulation): Under Article 32 ("Security of processing"), MFA is considered the "state of the art" requirement for protecting personal data in the cloud.
PSD2/PSD3: Requires Strong Customer Authentication (SCA) for accessing banking interfaces and authorizing online payments.

USA

Executive Order 14028: Mandates MFA for all federal agencies and any software service providers (SaaS/Cloud) doing business with the US government.
FTC Safeguards Rule (GLBA): Explicitly requires MFA for any financial institution (including non-banks like mortgage brokers) to protect customer data.
HIPAA: While not naming "MFA" specifically in the original text, current HHS guidance treats MFA as a mandatory technical safeguard for protecting electronic Protected Health Information (ePHI).
NYDFS 23 NYCRR 500: A highly influential New York state regulation requiring MFA for anyone accessing internal networks or cloud-based applications containing non-public information.
SEC Cybersecurity Rule: Requires public companies to disclose their risk management strategy; lack of MFA is now frequently cited as a material deficiency.

Global Standards

PCI DSS 4.0: Mandatory MFA for all personnel with access to the Cardholder Data Environment (CDE).
SOC 2 Type II: While a framework rather than a law, MFA is a baseline requirement for the "Security" trust service criteria in cloud audits.

joseph

Guess it will have MFA when we get OIDC working with Cloudron as well.

Cloudron Forum