Most account breaches start with a stolen password. MFA stops them — but only if it's enforced for everyone, not optional. We check whether your GitHub org and exposed services actually require two-factor.
Run a free domain scan All checks →We check whether multi-factor authentication is enforced where it counts: in your GitHub org (the org setting requiring 2FA for all members), and whether exposed login and admin interfaces allow sign-in without a second factor.
The difference between 'MFA is possible' and 'MFA is required' decides whether a stolen password is enough for a breach. NIS2 explicitly calls out MFA, and SOC 2 CC6.1 often fails precisely because MFA isn't enforced across the whole organisation.
Do you only check GitHub?
No — we check the GitHub org's MFA enforcement and also look for exposed login/admin interfaces that allow sign-in without a second factor.
Is SMS MFA enough?
Better than nothing, but SMS can be bypassed via SIM swap. We recommend app- or hardware-based MFA for high-privilege accounts.
Do you change our settings?
No — we only read. You enable enforcement based on our report.
Run a free scan or order a full Security Assessment — prioritised, not noise.
Run a free domain scan