Multi-factor authentication for third-party services with sensitive customer data
Use multi-factor authentication to secure accounts on third-party services that handle your sensitive customer data.
🏛️ Framework
ASD Essential Eight
🧭 Control effect
Preventative
🛠️ E8 mitigation strategy
Multi-factor authentication
🔐 Classifications
N/A
🗓️ Official last update
N/A
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
ML1
Multi-factor authentication is used to authenticate users to third-party online customer services that process, store or communicate their organisation’s sensitive customer data.
Source: ASD Essential Eight
Plain language
This control requires the use of multi-factor authentication (MFA) when accessing third-party services that manage your customer's sensitive information. This is like adding an extra lock to your digital accounts, making it much harder for unauthorised people to break in and access private data. Without this, cybercriminals can more easily steal your customers' personal information and misuse it, which could harm your business's reputation and bottom line.
Why it matters
Without MFA, unauthorised access to third-party customer services could expose sensitive customer data, harming trust and triggering regulatory penalties.
Operational notes
Regularly verify MFA is enforced on all third-party customer service logins (incl. admin/break-glass and SSO/SAML), and review vendor reports for drift.
Implementation tips
- The IT team should identify all third-party services used by the organisation that handle sensitive customer data and ensure MFA is available.
- The system administrator should enable multi-factor authentication for each identified third-party service by accessing account settings and selecting the MFA option.
- Security officers should educate users on how to use multi-factor authentication when logging into third-party services by providing step-by-step guides.
- Organisation leaders should mandate the use of MFA for all employees accessing customer-sensitive information by updating company security policies.
- Data protection officers should periodically review and update the list of third-party services to ensure all necessary services have MFA enabled.
Audit / evidence tips
-
Ask: What third-party services are used to store or manage sensitive customer data?
-
Good: The organisation provides a comprehensive list of third-party services with screenshots or configuration details showing MFA is enabled
-
Ask: How does the organisation enforce the use of MFA for these services?
-
Good: Policies explicitly require MFA for accessing sensitive data, and training records show staff have been educated about its use
Cross-framework mappings
How E8-MF-ML1.5 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (4) | ||
| ISM-1504 | ISM-1504 requires MFA for users authenticating to the organisation’s online services that handle sensitive data | |
| ISM-1679 | E8-MF-ML1.5 requires multi-factor authentication (MFA) for users accessing third-party online customer services handling sensitive custom... | |
| ISM-1680 | E8-MF-ML1.5 mandates MFA for third-party online customer services where sensitive customer data is involved | |
| ISM-1892 | E8-MF-ML1.5 requires MFA for authentication to third-party online customer services that handle sensitive customer data | |
| Depends on (1) | ||
| ISM-1919 | E8-MF-ML1.5 requires MFA for authentication to third-party online customer services | |
| Related (1) | ||
| ISM-1893 | E8-MF-ML1.5 requires MFA for users accessing third-party online customer services handling sensitive customer data | |