Can possession of device certificate be considered a factor in MFA?
We have had a discussion in our organization about whether possession of a server-issued device certificate can be considered a factor in MFA.
The certificate asserts that only enrolled devices can access the service.
If e.g. the service requires logging in using a username/password from a device with a valid certificate, can this be considered 2FA? The first factor is username/password. The second factor is possession of the certificate.
My take is that it depends on the target. If the target is a cloud service, for example, then the attacker would be given the attack interface (e.g. web login form), and would require obtaining two things: username/password + certificate.
However, if the target is data that is on the device itself, then the attacker would be given the device with a login screen, and would require only one additional thing: username/password. Thus only one factor.
What are your takes on this?
Absolutely an enrolled/managed device with some sort of indicator that's passed to the Identity and Access Management (IAM) platform in addition to the username and password is an additional factor.
Per NIST, additional factors can be what you know, what you have, or what you are. The device with a certificate falls under what you have. https://www.nist.gov/itl/applied-cybersecurity/tig/back-basics-multi-factor-authentication
As for data stored on the device that is accessible via username and password only, then that is not protected via MFA. By definition, there is only one factor, the password, something you know. If your policy requires MFA to access sensitive data (and the data on the device is sensitive) then you need additional protection on the device (such as biometric).