Use multi-factor authentication for online services handling customer data
Ensure users use multi-factor logins for online services with sensitive customer data.
Plain language
This control is about using more than just a password to log into online services that handle sensitive customer information. It's important because relying only on passwords can make it easier for hackers to break into these systems, which could lead to your customers' private data being stolen or misused.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Multi-factor authentication
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1
Official control statement
Multi-factor authentication is used to authenticate users to their organisation’s online customer services that process, store or communicate their organisation’s sensitive customer data.
Why it matters
Without MFA, stolen passwords can allow unauthorised access to online customer services, exposing sensitive customer data and causing breaches and reputational damage.
Operational notes
Enforce MFA on all accounts for online customer services handling customer data; regularly review MFA logs and promptly investigate unusual authentication attempts.
Implementation tips
- The IT team should ensure multi-factor authentication is set up for all online services handling customer data by selecting systems that support two-factor or more authentication options, such as SMS codes or authenticator apps.
- System administrators need to configure user accounts to require multi-factor authentication for access to online services by enabling this feature in the system's user management settings.
- Security officers should educate staff about the importance of using multi-factor authentication for securing customer data by organising training sessions and providing easy-to-understand guides.
- The IT department should regularly review and update the list of third-party services to ensure they support multi-factor authentication by conducting quarterly audits of all connected applications and services.
Audit / evidence tips
-
AskIs multi-factor authentication enabled for all online services that handle sensitive customer data?
-
GoodMulti-factor authentication is enabled in the system settings, and the setting is enforced across all user accounts accessing sensitive customer data services
-
AskHow frequently is the list of online services reviewed for compliance with multi-factor authentication requirements?
-
GoodReview logs or documentation that confirm the list of third-party services is audited quarterly, with multi-factor authentication compliance checked for each
Cross-framework mappings
How E8-MF-ML1.4 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.5 | E8-MF-ML1.4 requires MFA for users authenticating to online customer services that handle sensitive customer data | |
| handshake Supports (1) expand_less | ||
| Annex A 5.17 | E8-MF-ML1.4 requires MFA to be implemented for access to online customer services handling sensitive customer data | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-1401 | E8-MF-ML1.4 requires MFA to be used for authentication to online customer services handling sensitive customer data | |
| sync_alt Partially overlaps (4) expand_less | ||
| ISM-1504 | ISM-1504 requires MFA for users accessing the organisation’s online services that process, store or communicate sensitive data | |
| ISM-1505 | E8-MF-ML1.4 requires multi-factor authentication (MFA) for users accessing the organisation’s online customer services that process, stor... | |
| ISM-1681 | ISM-1681 requires MFA for customers authenticating to online customer services where sensitive customer data is processed, stored or comm... | |
| ISM-1893 | ISM-1893 requires MFA for users authenticating to third-party online customer services that handle the organisation’s sensitive customer ... | |
| handshake Supports (2) expand_less | ||
| ISM-0553 | ISM-0553 requires authentication and authorisation for all actions on a video conferencing network, including call setup and changing set... | |
| ISM-1682 | E8-MF-ML1.4 requires MFA for access to online customer services handling sensitive customer data | |
| link Related (1) expand_less | ||
| ISM-1892 | ISM-1892 requires multi-factor authentication (MFA) to be used to authenticate users to an organisation’s online customer services that p... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.