heygrc
Answer

How do I require MFA for privileged access (SOC 2)?

Restricting who can reach sensitive functions is what SOC 2 CC6.1 (logical access controls) is about, and for privileged actions a valid session is usually not enough on its own. Require a second factor at the point of the privileged action, fail closed if it is missing, and record the check, so that reaching an admin path takes more than a stolen or lingering session.

  1. Name the privileged paths

    Decide which actions count as privileged: administrative endpoints, role and permission changes, bulk data access or export, and changes to security settings. These are the paths where a single compromised session does the most damage, and the ones where a second factor earns its cost.

  2. Require the second factor at the action, fail closed

    Check for a satisfied second factor (or a recent step-up) before the privileged action runs, not only at initial login, and deny by default if it is absent rather than falling through to allow. The check should be on the server path that performs the action, so it cannot be skipped by calling the endpoint directly.

admin/roles.ts+1 -0
export async function setRole(session, target, role) {+  if (!session.mfaVerified) return deny("step-up required")  await db.roles.set(target, role)  return ok()}
heygrcSOC 2 CC6.1

The privileged role change now requires a verified second factor and denies by default without it, tightening the logical access control CC6.1 is about.