Multi-factor authentication for customer access to online services handling sensitive data
Require multiple forms of ID for customer logins to protect sensitive online data.
Plain language
This control ensures that when customers log in to online services handling sensitive data, they use more than just a password. This makes it much harder for someone to break in and access private information if passwords are stolen.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Multi-factor authentication
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1
Official control statement
Multi-factor authentication is used to authenticate customers to online customer services that process, store or communicate sensitive customer data.
Why it matters
Without MFA, attackers can take over customer accounts via stolen passwords, exposing sensitive customer data and damaging trust.
Operational notes
Enforce MFA for all customer logins to services handling sensitive data, support strong factors, and alert on repeated failures and new-device sign-ins.
Implementation tips
- IT team should require two forms of identification for customer logins. Implement a system that requires both a password and a code sent to the user's phone.
- Security officer should verify that all sensitive data services use multi-factor authentication. Regularly review systems handling sensitive information to ensure compliance.
- System administrator should configure customer accounts to use something they have, like a smartphone app or a hardware token, along with something they know, like a password.
- Customer service should educate customers on how to set up and use multi-factor authentication. Provide clear instructions and support for using mobile apps or tokens for extra security.
Audit / evidence tips
-
AskDoes the service require multi-factor authentication for customer logins?
-
GoodAll customer accounts must use a password plus another factor, such as an SMS code or app-based verification
-
AskHow are customers informed and instructed about multi-factor authentication setup?
-
GoodRegular, clear instructions available and communicated to all customers, guiding them through the multi-factor authentication setup
Cross-framework mappings
How E8-MF-ML1.6 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.5 | E8-MF-ML1.6 requires MFA for customers authenticating to online customer services handling sensitive customer data | |
| handshake Supports (1) expand_less | ||
| Annex A 5.17 | E8-MF-ML1.6 requires MFA for customers to access online customer services that handle sensitive customer data | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (4) expand_less | ||
| ISM-1504 | ISM-1504 requires MFA for users authenticating to the organisation’s online services that handle sensitive data | |
| ISM-1874 | E8-MF-ML1.6 requires MFA for customers authenticating to online services handling sensitive customer data | |
| ISM-1893 | E8-MF-ML1.6 requires multi-factor authentication (MFA) for customers accessing online customer services that process, store or communicat... | |
| ISM-1920 | E8-MF-ML1.6 requires customers to use MFA when authenticating to online customer services handling sensitive customer data | |
| handshake Supports (2) expand_less | ||
| ISM-1873 | E8-MF-ML1.6 requires MFA for customers accessing online customer services that handle sensitive customer data | |
| ISM-1919 | E8-MF-ML1.6 requires MFA for customer authentication to online customer services handling sensitive customer data | |
| link Related (2) expand_less | ||
| ISM-1681 | ISM-1681 requires multi-factor authentication (MFA) to be used to authenticate customers to online customer services that process, store ... | |
| ISM-1892 | E8-MF-ML1.6 requires multi-factor authentication (MFA) for customers accessing online customer services that process, store, or communica... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.