LET'S TALK
← All work
NIST SP 800-63B AAL2/AAL3CISA Phishing-Resistant MFAFIDO AllianceSOC2 CC6.1PCI-DSS Req 8.4Deep Prototype

MFAEnrollAudit — Per-User MFA Enrollment Audit

22 employees × MFA enrollment status across 8 systems (Okta, GitHub, AWS, Salesforce, GSuite, 1Password, Auth0 admin, Snowflake). Per user × system: factor type (FIDO2 / TOTP / SMS-fallback / none). Surfaces 4 users with SMS-only fallback + tracks FIDO2-coverage % across the org.

MFAEnrollAudit — Per-User MFA Enrollment Audit preview
Open live →

What it is

The matrix that surfaces the SMS-fallback problem. CISA’s “Phishing-Resistant MFA” guidance specifically deprecated SMS for high-trust use cases — but most orgs still have SMS as the recovery factor.

What’s in it

  • 22 employees × 8 systems = 176-cell matrix
  • Per cell: FIDO2 / TOTP / SMS-fallback / none
  • Per user: status classification (fido-strong / totp-only / sms-fallback / no-mfa)
  • Per-user recommendation: upgrade SMS to FIDO2; enroll missing systems

Why this shape

NIST SP 800-63B AAL2 → AAL3 maps to TOTP → FIDO2. CISA’s Phishing-Resistant MFA bulletin (2022) deprecated SMS-OTP entirely for AAL2+. SOC2 CC6.1 + PCI-DSS Req 8.4 demand MFA on privileged access. The matrix view is what makes the gaps visible.

How it ships

Single HTML file, ~13KB. Zero dependencies. 22 × 8 matrix renderer + per-user drilldown in 100 lines of vanilla JavaScript.

Open the tool →