Finducation - EZBudget™
Critical Systems Multi-Factor Authentication Policy
Phishing-resistant MFA for critical financial data systems and admin consoles.
1. Policy Statement
EZBudget requires phishing-resistant multi-factor authentication (MFA) for access to critical systems that store or process consumer financial data, including production infrastructure, privileged administrative consoles, and backend services handling financial integration data.
Phishing-Resistant MFA Critical Systems Financial Data Processing
2. Critical Systems in Scope
| System Category | Examples | MFA Requirement |
|---|---|---|
| Data services | Database platforms storing consumer budget and financial linkage metadata | Phishing-resistant MFA required for privileged access |
| Application backend | Serverless/API functions processing authenticated financial operations | Privileged admin/deployment access protected by MFA |
| Infrastructure platforms | Hosting, deployment, and environment administration consoles | Phishing-resistant MFA required |
| Identity and secrets management | Auth provider administration and secret/configuration management interfaces | Phishing-resistant MFA required |
| Source control and CI/CD | Repositories and deployment pipelines with production release authority | Phishing-resistant MFA required for privileged roles |
3. Approved MFA Methods
- Passkeys / WebAuthn (platform authenticators and security keys)
- Hardware OTP tokens and FIDO2 security keys
- Biometric-backed device authentication for privileged administrative sessions where supported
SMS, email OTP, and knowledge-based challenge factors are not used as primary MFA for critical system access unless explicitly approved as temporary compensating controls with documented risk acceptance.
4. Access Enforcement
- Privileged accounts must enroll in approved phishing-resistant MFA before production access is granted.
- Shared accounts are prohibited for critical system administration.
- Administrative sessions are limited to authorized personnel with role-based assignments.
- Access events for privileged systems are subject to security review and incident investigation.
5. Operational Controls
- MFA enrollment status is verified during access provisioning and periodic governance reviews.
- Loss or compromise of MFA devices triggers immediate access suspension and re-enrollment.
- Changes to identity provider MFA policy require security owner approval.
6. Due Diligence Mapping
| Questionnaire Assertion | Policy Position |
|---|---|
| MFA in place for critical systems storing/processing consumer financial data | Yes - Mandatory phishing-resistant MFA for privileged critical-system access |
| MFA type | Yes - Phishing-resistant MFA (passkeys/WebAuthn, biometrics, hardware OTP) |
7. Approval
This policy is approved for external partner due diligence responses, including Plaid security/governance questionnaires.
Approved By: Deseo Developers LLC - Authorized Representative
Date: July 8, 2026
Contact: contact@deseodevelopers.com