Multi-factor authentication for third-party services handling sensitive data
Use multi-factor authentication for third-party services with sensitive data to prevent unauthorized access.
Plain language
Multi-factor authentication (MFA) is like having two locks on your door instead of one. It's important because it makes it much harder for someone to break into your online services and see sensitive information, like your financial records. Without MFA, a hacker could easily steal your password and get full access.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Multi-factor authentication
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1
Official control statement
Multi-factor authentication is used to authenticate users to third-party online services that process, store or communicate their organisation’s sensitive data.
Why it matters
Without MFA on third-party services, stolen credentials can allow unauthorised access and exfiltration of sensitive organisational data.
Operational notes
Confirm MFA is enforced for all third-party services handling sensitive data, and review new integrations/vendors to prevent MFA bypass.
Implementation tips
- IT team should enable multi-factor authentication for all third-party services that handle sensitive data to prevent unauthorised access.
- System administrator should regularly update the authentication methods to include robust options, such as a one-time password (OTP) sent to a separate device.
- Security officer should conduct training for staff about how and why to use multi-factor authentication, including the importance of safeguarding their additional authentication device.
- Security officer should review and assess third-party vendors to ensure their services have multi-factor authentication capabilities enabled by default.
Audit / evidence tips
-
AskHave you enabled multi-factor authentication for all third-party services used by the organisation?
-
GoodYes, multi-factor authentication is enabled for all third-party services that handle our sensitive data, and here is the policy document that outlines this process
-
AskHow do you verify that your staff are properly using multi-factor authentication?
-
GoodWe regularly train staff on MFA best practices, and our logs show successful use of multi-factor authentication across all services
Cross-framework mappings
How E8-MF-ML1.2 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.5 | E8-MF-ML1.2 requires MFA for authenticating users to third-party services handling sensitive data | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-1401 | E8-MF-ML1.2 requires multi-factor authentication (MFA) for user access to third-party online services handling the organisation’s sensiti... | |
| sync_alt Partially overlaps (4) expand_less | ||
| ISM-1504 | ISM-1504 requires MFA for users accessing the organisation’s online services that handle the organisation’s sensitive data | |
| ISM-1680 | E8-MF-ML1.2 requires MFA for third-party online services processing, storing or communicating the organisation’s sensitive data | |
| ISM-1681 | ISM-1681 mandates MFA for customers accessing the organisation’s online customer services that handle sensitive customer data | |
| ISM-1893 | E8-MF-ML1.2 requires MFA for third-party online services handling sensitive organisational data | |
| handshake Supports (1) expand_less | ||
| ISM-1919 | E8-MF-ML1.2 requires MFA for authentication to third-party services handling sensitive data | |
| link Related (1) expand_less | ||
| ISM-1679 | ISM-1679 requires multi-factor authentication (MFA) to be used when authenticating users to third-party online services that process, sto... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.