Security check

MFA check: do you require two-factor, or just offer it?

Most account breaches start with a stolen password. MFA stops them — but only if it's enforced for everyone, not optional. We check whether your GitHub org and exposed services actually require two-factor.

Run a free domain scan All checks →
Relates to: SOC 2 · CC6.1 — authentication ISO 27001 · A.5.17 authentication information NIS2 · art. 21 — access control & MFA CIS · Controls v8 — 6.3/6.5

What we check

We check whether multi-factor authentication is enforced where it counts: in your GitHub org (the org setting requiring 2FA for all members), and whether exposed login and admin interfaces allow sign-in without a second factor.

Why it matters

The difference between 'MFA is possible' and 'MFA is required' decides whether a stolen password is enough for a breach. NIS2 explicitly calls out MFA, and SOC 2 CC6.1 often fails precisely because MFA isn't enforced across the whole organisation.

How Security Guru tests it

Common mistakes

  • MFA recommended but not enforced at org level
  • Individual service/machine accounts exempted 'temporarily'
  • SMS-based MFA that can be SIM-swapped instead of app/key
  • Outside collaborators invited without an MFA requirement

What you get in the report

  • MFA status: enforced or optional, per org/service
  • Accounts without MFA enabled
  • Exposed interfaces without a second factor
  • Mapping to SOC 2 CC6.1 / ISO A.5.17 / NIS2

FAQ

Do you only check GitHub?

No — we check the GitHub org's MFA enforcement and also look for exposed login/admin interfaces that allow sign-in without a second factor.

Is SMS MFA enough?

Better than nothing, but SMS can be bypassed via SIM swap. We recommend app- or hardware-based MFA for high-privilege accounts.

Do you change our settings?

No — we only read. You enable enforcement based on our report.

Want to know your status?

Run a free scan or order a full Security Assessment — prioritised, not noise.

Run a free domain scan