Compliance is based on the idea that if you are in compliance with a particular control (per NIST 800-53, say), then you have reduced the risk the control is meant to protect against <i>by default</i>. Compliance doesn't reduce all of the risk, but yes, it will reduce the risk profile to a degree depending on the control.<p>Multifactor, non-phishable credentials do reduce risk of unauthorized login, absolutely. It reduces the risk of having a username and password that anyone can use if they know it. Give someone the PIN to your PIV or CAC card, and it's useless without the card. The risk then is that someone grabs your card and then beats you for the PIN, but that's a much less likely scenario. Sure you can mitigate brute force attempts at guessing passwords, and you can check things like source IP of the client and make decisions whether to allow the login or not.<p>The problem with compliance in my experience is that while it does reduce risk, when your mission must use or configure equipment that doesn't or can't use that control for some reason, the IT powers that be (esp. in government) demand you comply anyway, or else, even if you have mitigated that particular risk with compensating controls. That's when 'checkbox compliance' becomes a real threat to mission success.
Taken literally: no.<p>Security is a cat-and-mouse game while compliance checklists were defined years or decades ago. Some of the things in such checklists will be helpful for security but not all. Still, whether or not most are helpful will depend on various factors, e.g., threat model.