katyanton
commented
4 months ago C1 is about Authorization, while MFA is about verifying the identity ( Authentication) , which is C7 . As part of C7, we introduce the different levels of assurance to verify the digital Identity - discuss why MFA should be considered from AA-Level2 . Hope it makes sense .
I would highly recommend a section on MFA based on CISA or equivalent requirements. Implementing Phishing-Resistant MFA will make sure that you are future proof. OAUTH/FIDO2/OIDC support should be a security requirement for all software.