Multi-factor authentication for third-party services with sensitive customer data
Use multi-factor authentication to secure accounts on third-party services that handle your sensitive customer data.
Plain language
This control requires the use of multi-factor authentication (MFA) when accessing third-party services that manage your customer's sensitive information. This is like adding an extra lock to your digital accounts, making it much harder for unauthorised people to break in and access private data. Without this, cybercriminals can more easily steal your customers' personal information and misuse it, which could harm your business's reputation and bottom line.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Multi-factor authentication
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1
Official control statement
Multi-factor authentication is used to authenticate users to third-party online customer services that process, store or communicate their organisation’s sensitive customer data.
Why it matters
Without MFA, unauthorised access to third-party customer services could expose sensitive customer data, harming trust and triggering regulatory penalties.
Operational notes
Regularly verify MFA is enforced on all third-party customer service logins (incl. admin/break-glass and SSO/SAML), and review vendor reports for drift.
Implementation tips
- The IT team should identify all third-party services used by the organisation that handle sensitive customer data and ensure MFA is available.
- The system administrator should enable multi-factor authentication for each identified third-party service by accessing account settings and selecting the MFA option.
- Security officers should educate users on how to use multi-factor authentication when logging into third-party services by providing step-by-step guides.
- Organisation leaders should mandate the use of MFA for all employees accessing customer-sensitive information by updating company security policies.
- Data protection officers should periodically review and update the list of third-party services to ensure all necessary services have MFA enabled.
Audit / evidence tips
- AskWhat third-party services are used to store or manage sensitive customer data?
- GoodThe organisation provides a comprehensive list of third-party services with screenshots or configuration details showing MFA is enabled
- AskHow does the organisation enforce the use of MFA for these services?
- GoodPolicies explicitly require MFA for accessing sensitive data, and training records show staff have been educated about its use
Cross-framework mappings
How E8-MF-ML1.5 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (6) expand_less | ||
| ISM-0974 | E8-MF-ML1.5 mandates MFA for access to third-party online customer services with sensitive data | |
| ISM-1173 | E8-MF-ML1.5 requires MFA for users authenticating to third-party online customer services handling sensitive customer data | |
| ISM-1504 | E8-MF-ML1.5 and ISM-1504 both require MFA for online services handling sensitive data | |
| ISM-1680 | E8-MF-ML1.5 mandates MFA for third-party online customer services where sensitive customer data is involved | |
| ISM-1681 | E8-MF-ML1.5 and ISM-1681 both apply MFA in customer-service environments handling sensitive customer data | |
| ISM-1892 | E8-MF-ML1.5 requires MFA for authentication to third-party online customer services that handle sensitive customer data | |
| handshake Supports (2) expand_less | ||
| ISM-1452 | E8-MF-ML1.5 mandates MFA for third-party online services with sensitive data to prevent unauthorised access | |
| ISM-1682 | E8-MF-ML1.5 requires MFA for third-party online customer services processing sensitive data | |
| extension Depends on (2) expand_less | ||
| ISM-1401 | E8-MF-ML1.5 seeks MFA for third-party online customer services dealing with sensitive customer data | |
| ISM-1919 | E8-MF-ML1.5 requires MFA for authentication to third-party online customer services | |
| link Related (2) expand_less | ||
| ISM-1679 | E8-MF-ML1.5 and ISM-1679 both require multi-factor authentication (MFA) for users accessing third-party online customer services that han... | |
| ISM-1893 | E8-MF-ML1.5 and ISM-1893 both require MFA for users accessing third-party online customer services handling sensitive data | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.