# Standards and References - MFA with Duo

## NIST Standards
- **NIST SP 800-63B**: Digital Identity Guidelines - Authentication and Lifecycle Management
  - AAL1: Single-factor authentication
  - AAL2: Multi-factor authentication (Duo Push, TOTP)
  - AAL3: Hardware-based phishing-resistant (FIDO2, PIV)
- **NIST SP 800-53 Rev 5**: IA-2, IA-2(1), IA-2(2), IA-2(6), IA-2(8), IA-3, IA-5

## Duo Documentation
- **Duo Authentication Proxy**: https://duo.com/docs/authproxy-reference
- **Duo for RDP**: https://duo.com/docs/rdp
- **Duo Unix (SSH)**: https://duo.com/docs/duounix
- **Duo Web SDK**: https://duo.com/docs/duoweb
- **Duo Verified Push**: https://duo.com/blog/webauthn-passwordless-fido2-explained-componens-passwordless-architecture
- **Duo Admin API**: https://duo.com/docs/adminapi

## CISA Guidance
- **CISA MFA Guidance**: Phishing-resistant MFA requirement for federal agencies
- **EO 14028**: Executive Order on Improving the Nation's Cybersecurity - MFA mandate

## Compliance
- **PCI DSS 4.0**: Requirement 8.3.1 - MFA for all access to CDE
- **HIPAA**: 45 CFR 164.312(d) - Person or entity authentication
- **SOX**: MFA for privileged financial system access
- **CMMC**: Level 2 - IA.L2-3.5.3 Multi-factor authentication