Try IS_AUTHENTICATED_FULLY
:
<intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
You can do the same thing using SpEL expression:
<http auto-config="true" use-expressions="true">
...
<intercept-url pattern="/**" access="isAuthenticated()" />
...
</http>
All available expressions are listed here. In general SpEL expressions are more flexible.