Security / SEC-002
Security Standard

SEC-002 — Multi-Factor Authentication

Defines mandatory MFA requirements for identity, source code, domains, hosting, data, and billing platforms.

Document: SEC-002Type: StandardStatus: ApprovedOwner: Engineering OperationsVersion: 4.2.0Updated: 2026-07-17

Policy

Multi-factor authentication is mandatory for Tier 1 platforms that control identity, source code, domains, production hosting, customer data or billing.

Tier 1 Platforms

PlatformPrimary identityRequired controls
Google Workspaceadmin@cloudberrie.comMFA, recovery method, protected admin access
GitHubcb-engopsMFA, recovery codes, organization enforcement before inviting members
Cloudflareaccounts@cloudberrie.comAuthenticator or passkey plus stored recovery codes
Domain registrarBusiness-controlled loginMFA and registry lock where available
Firebase / Google CloudAuthorized company identityMFA and least-privilege access

Preferred Authentication Order

  1. Passkey or hardware security key, when supported.
  2. Authenticator application.
  3. Platform recovery codes stored in Apple Passwords and one controlled offline recovery copy.
  4. SMS only as a fallback when stronger methods are unavailable.

Validation