Require multi-factor authentication for sensitive online services
Ensure users use multiple ways to verify their identity when accessing sensitive company data online.
Plain language
This control means using more than just a password to access sensitive online systems, like those that store company data. It's important because if someone steals a password, they could access valuable information. Multi-factor authentication makes it much harder for unauthorised people to get in.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Multi-factor authentication
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1
Official control statement
Multi-factor authentication is used to authenticate users to their organisation’s online services that process, store or communicate their organisation’s sensitive data.
Why it matters
Without MFA, a compromised password can allow unauthorised access to sensitive online services, leading to exposure of sensitive data and potential financial loss.
Operational notes
Enforce MFA on all online services handling sensitive data, require phishing-resistant methods where possible, and review enrolment/coverage regularly (including admins and remote access).
Implementation tips
- IT team should ensure that all sensitive online services require multi-factor authentication by configuring settings that require a second form of identification like a text message code.
- System administrator should regularly update the authentication methods to include the most secure options available by checking for updates from service providers and applying them.
- Security officer should conduct training sessions for staff, explaining how to use multi-factor authentication, by organising workshops or sending newsletters with step-by-step guides.
- IT manager should review third-party online services to verify they offer multi-factor authentication by contacting the service providers and implementing MFA where available.
Audit / evidence tips
- AskWhat measures are in place to ensure multi-factor authentication is used for accessing sensitive data?
- GoodLogin systems show records of using a password and a one-time code received via SMS or authenticator app
- AskHow does the organisation ensure that third-party services used meet the multi-factor authentication requirement?
- GoodDocumentation or agreements confirming that third-party services implement and enforce multi-factor authentication
Cross-framework mappings
How E8-MF-ML1.1 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| link Related (1) expand_less | ||
| Annex A 8.5 | E8-MF-ML1.1 requires MFA for authentication to sensitive online services | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| ISM-1546 | ISM-1546 requires users to be authenticated before they are granted access | |
| ISM-1682 | E8-MF-ML1.1 requires MFA for access to online services that handle the organisation’s sensitive data | |
| sync_alt Partially overlaps (4) expand_less | ||
| ISM-1505 | E8-MF-ML1.1 requires multi-factor authentication (MFA) for users accessing the organisation's online services that process, store or comm... | |
| ISM-1679 | E8-MF-ML1.1 requires MFA for users authenticating to the organisation’s online services that handle sensitive organisational data | |
| ISM-1681 | ISM-1681 requires MFA for customers accessing online customer services that handle sensitive customer data | |
| ISM-1893 | E8-MF-ML1.1 requires MFA for users of the organisation’s online services that handle sensitive data | |
| handshake Supports (5) expand_less | ||
| ISM-0553 | ISM-0553 requires authentication and authorisation for all actions on a video conferencing network, including call setup and changing set... | |
| ISM-0619 | ISM-0619 requires users to authenticate when accessing other networks via network gateways | |
| ISM-1401 | E8-MF-ML1.1 requires MFA to authenticate users to sensitive online services | |
| ISM-1872 | E8-MF-ML1.1 requires MFA for users accessing the organisation’s online services that handle sensitive organisational data | |
| ISM-1919 | ISM-1919 requires that once MFA is implemented for online services, all authentication protocols that cannot use MFA are disabled to prev... | |
| link Related (2) expand_less | ||
| ISM-1504 | ISM-1504 requires multi-factor authentication (MFA) to be used to authenticate users to the organisation’s online services that process, ... | |
| ISM-1892 | E8-MF-ML1.1 requires MFA for the organisation’s online services that process, store or communicate sensitive data | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.