Use multi-factor authentication for non-sensitive third-party services
Use a second form of verification for accounts on services handling non-sensitive org data.
Plain language
Using multi-factor authentication (MFA) means that when you log in to an account, you need to provide two forms of identification instead of just a password. Imagine you're trying to get into a nightclub; you'll need both a password and an ID card, not just one or the other. This added step helps prevent hackers from getting into your accounts if they manage to steal your password. It's like having a deadbolt on your door instead of just a regular lock.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Multi-factor authentication
Classifications
N/A
Official last update
N/A
Control Stack last updated
18 May 2026
E8 maturity levels
ML1
Official control statement
Multi-factor authentication (where available) is used to authenticate users to third-party online services that process, store or communicate their organisation’s non-sensitive data.
Why it matters
Without MFA, stolen credentials for third-party services could allow unauthorised access to accounts and non-sensitive organisational data.
Operational notes
Regularly review third-party services for MFA availability and enforce it; re-check settings after vendor changes and user onboarding to prevent drift.
Implementation tips
- The IT team should identify all third-party online services that handle the organisation's non-sensitive data and make a list of these services.
- The system administrator should check if these services support multi-factor authentication by looking at the service's security settings or contacting support.
- If multi-factor authentication is available, the IT team should enable it for users by following the service provider's implementation guide.
- The security officer should regularly review and update the list of third-party services to ensure new ones are evaluated for multi-factor authentication capability.
- The IT support staff should educate users about the importance of multi-factor authentication and how to use it, possibly through a simple step-by-step guide or training session.
Audit / evidence tips
- AskCan you show me the list of third-party services that handle non-sensitive data?
- GoodThe list includes all relevant services and clearly indicates which ones have multi-factor authentication enabled
- AskHow does the organisation ensure multi-factor authentication is used where available?
- GoodThere are documented procedures and user lists confirming multi-factor authentication is set up for each applicable service
Cross-framework mappings
How E8-MF-ML1.3 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.5 | E8-MF-ML1.3 requires the use of MFA (where available) for user authentication to third-party online services handling non-sensitive organ... | |
| link Related (1) expand_less | ||
| Annex A 5.15 | Annex A 5.15 requires organisations to establish rules and procedures that control logical access to information based on security requir... | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| handshake Supports (3) expand_less | ||
| ISM-0417 | E8-MF-ML1.3 requires MFA (where available) for authenticating users to third-party online services that process, store or communicate non... | |
| ISM-0553 | ISM-0553 requires authentication and authorisation for all actions on a video conferencing network, including call setup and changing set... | |
| ISM-1919 | E8-MF-ML1.3 requires multi-factor authentication (where available) for user access to third-party online services handling an organisatio... | |
| extension Depends on (1) expand_less | ||
| ISM-1401 | E8-MF-ML1.3 requires organisations to use multi-factor authentication for third-party services that process, store or communicate non-sen... | |
| link Related (1) expand_less | ||
| ISM-1680 | E8-MF-ML1.3 requires multi-factor authentication (where available) for users authenticating to third-party online services that process, ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.