Auth/SSO

AUTH-03

Device Trust & Zero Trust Enforcement

This control asks one thing: To what extent does access to workforce applications depend on the security posture and trust level of the device being used?

Low Maturity

What Failure Looks Like

The documented failure mode at level 0 (Absent) on the 0 to 4 maturity scale:

Malware on personal or compromised devices hijacks authenticated sessions. Data exfiltration occurs without triggering identity controls.

High Maturity

What Good Looks Like

The business value the methodology documents at level 4 (Optimized):

Delivers resilient security without degrading employee productivity.

Next Step

A Typical Next Move

For programs sitting around level 0 (Absent), the methodology recommends this as the next rational step:

Integrate the IdP with an endpoint management solution and require managed devices for high-risk applications.

What reaching level 2 (Developing) unlocks

Dynamic, risk-based access control

Evidence

Evidence Assessors Ask For

A sample of the artifacts an assessor expects to see around level 2 (Developing):

  • MDM-enrolled device requirement
  • Disk encryption and OS version checks
  • No real-time EDR signal integration

Breach Radar

Seen in Real Breaches

These teardowns of public incidents cite AUTH-03 as one of the controls that failed. Each one reconstructs the attack chain from public disclosures.

Compliance

Compliance Frameworks That Cite This Control

The bank's regulatory mapping for AUTH-03 resolves to 5 frameworks with a researched compliance threshold. Weakness here shows up in audits, not only in incidents.

Where Does Your Program Land on AUTH-03?

This page is the teaser layer. The full rubric behind AUTH-03 defines 5 scored maturity levels, 0 to 4, each with its own operating model, evidence expectations, and regulatory citations. That rubric is the scoring instrument, so it ships inside the assessment rather than on a marketing page. Running the assessment takes about 20 minutes and no signup is required to start.