Multi-Factor Authentication (MFA) Policy | Iron Amethyst Holdings LLC

1. Purpose

This policy establishes phishing-resistant MFA requirements for all critical systems that store or process consumer financial data.

2. Scope

All systems, platforms, cloud services, and third-party integrations that store, transmit, or process financial data, including Plaid API data.

3. MFA Requirement

Phishing-resistant MFA required for all accounts with access to critical systems. Methods in use:

Biometric authentication (Touch ID / Face ID on Apple hardware)
Passkeys (where supported)
Hardware security keys (FIDO2/WebAuthn) for high-privilege accounts

SMS-based and email-based authentication are NOT accepted for critical systems.

4. Covered Systems

Cloud services and infrastructure
Financial data platforms including Plaid
Email and identity provider accounts
Password manager and secrets management
Administrative and developer tooling with production access

5. Device Requirements

All devices must support and have enabled biometric authentication or hardware-based MFA. Devices without biometric capability require a hardware security key.

6. MFA Recovery

Recovery codes stored securely in encrypted password manager.
Restricted to Managing Member.
Rotated following any suspected exposure.

7. Exceptions

No exceptions for accounts with access to consumer financial data. Service accounts use scoped short-lived credentials subject to strict controls and rotation.

8. Policy Review

Reviewed annually.

Effective Date: April 1, 2026

← Back to Privacy Policy