Finducation™

Finducation - EZBudget™

Critical Systems Multi-Factor Authentication Policy

Phishing-resistant MFA for critical financial data systems and admin consoles.

Document ID: EZB-MFA-002
Version: 1.0
Effective Date: July 8, 2026
Last Review Date: July 8, 2026
MFA Class: Phishing-resistant
Owner: Deseo Developers LLC (Engineering/Security)

1. Policy Statement

EZBudget requires phishing-resistant multi-factor authentication (MFA) for access to critical systems that store or process consumer financial data, including production infrastructure, privileged administrative consoles, and backend services handling financial integration data.

Phishing-Resistant MFA Critical Systems Financial Data Processing

2. Critical Systems in Scope

System CategoryExamplesMFA Requirement
Data services Database platforms storing consumer budget and financial linkage metadata Phishing-resistant MFA required for privileged access
Application backend Serverless/API functions processing authenticated financial operations Privileged admin/deployment access protected by MFA
Infrastructure platforms Hosting, deployment, and environment administration consoles Phishing-resistant MFA required
Identity and secrets management Auth provider administration and secret/configuration management interfaces Phishing-resistant MFA required
Source control and CI/CD Repositories and deployment pipelines with production release authority Phishing-resistant MFA required for privileged roles

3. Approved MFA Methods

  • Passkeys / WebAuthn (platform authenticators and security keys)
  • Hardware OTP tokens and FIDO2 security keys
  • Biometric-backed device authentication for privileged administrative sessions where supported

SMS, email OTP, and knowledge-based challenge factors are not used as primary MFA for critical system access unless explicitly approved as temporary compensating controls with documented risk acceptance.

4. Access Enforcement

  • Privileged accounts must enroll in approved phishing-resistant MFA before production access is granted.
  • Shared accounts are prohibited for critical system administration.
  • Administrative sessions are limited to authorized personnel with role-based assignments.
  • Access events for privileged systems are subject to security review and incident investigation.

5. Operational Controls

  • MFA enrollment status is verified during access provisioning and periodic governance reviews.
  • Loss or compromise of MFA devices triggers immediate access suspension and re-enrollment.
  • Changes to identity provider MFA policy require security owner approval.

6. Due Diligence Mapping

Questionnaire AssertionPolicy Position
MFA in place for critical systems storing/processing consumer financial data Yes - Mandatory phishing-resistant MFA for privileged critical-system access
MFA type Yes - Phishing-resistant MFA (passkeys/WebAuthn, biometrics, hardware OTP)

7. Approval

This policy is approved for external partner due diligence responses, including Plaid security/governance questionnaires.

Approved By: Deseo Developers LLC - Authorized Representative

Date: July 8, 2026

Contact: contact@deseodevelopers.com