Multi-factor authentication for third-party services handling sensitive data
Use multi-factor authentication for third-party services with sensitive data to prevent unauthorized access.
🏛️ Framework
ASD Essential Eight
🧭 Control effect
Preventative
🛠️ E8 mitigation strategy
Multi-factor authentication
🔐 Classifications
N/A
🗓️ Official last update
N/A
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
ML1
Multi-factor authentication is used to authenticate users to third-party online services that process, store or communicate their organisation’s sensitive data.
Source: ASD Essential Eight
Plain language
Multi-factor authentication (MFA) is like having two locks on your door instead of one. It's important because it makes it much harder for someone to break into your online services and see sensitive information, like your financial records. Without MFA, a hacker could easily steal your password and get full access.
Why it matters
Without MFA on third-party services, stolen credentials can allow unauthorised access and exfiltration of sensitive organisational data.
Operational notes
Confirm MFA is enforced for all third-party services handling sensitive data, and review new integrations/vendors to prevent MFA bypass.
Implementation tips
- IT team should enable multi-factor authentication for all third-party services that handle sensitive data to prevent unauthorised access.
- System administrator should regularly update the authentication methods to include robust options, such as a one-time password (OTP) sent to a separate device.
- Security officer should conduct training for staff about how and why to use multi-factor authentication, including the importance of safeguarding their additional authentication device.
- Security officer should review and assess third-party vendors to ensure their services have multi-factor authentication capabilities enabled by default.
Audit / evidence tips
-
Ask: Have you enabled multi-factor authentication for all third-party services used by the organisation?
-
Good: Yes, multi-factor authentication is enabled for all third-party services that handle our sensitive data, and here is the policy document that outlines this process
-
Ask: How do you verify that your staff are properly using multi-factor authentication?
-
Good: We regularly train staff on MFA best practices, and our logs show successful use of multi-factor authentication across all services
Cross-framework mappings
How E8-MF-ML1.2 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (5) | ||
| ISM-1401 | ISM-1401 requires organisations to implement MFA using multiple factors (possession plus knowledge, or possession unlocked by knowledge/b... | |
| ISM-1504 | ISM-1504 requires MFA for users accessing the organisation’s online services that handle the organisation’s sensitive data | |
| ISM-1680 | E8-MF-ML1.2 requires MFA for users accessing third-party services handling the organisation’s sensitive data | |
| ISM-1681 | ISM-1681 mandates MFA for customers accessing the organisation’s online customer services that handle sensitive customer data | |
| ISM-1893 | E8-MF-ML1.2 requires multi-factor authentication (MFA) for users accessing third-party online services that process, store or communicate... | |
| Supports (1) | ||
| ISM-1919 | E8-MF-ML1.2 requires MFA for authentication to third-party services handling sensitive data | |
| Related (1) | ||
| ISM-1679 | ISM-1679 requires multi-factor authentication (MFA) to be used when authenticating users to third-party online services that process, sto... | |