Multi-factor authentication combines two factors like a device and a PIN
Use something you have and something you know to secure access to important data.
Plain language
Multi-factor authentication is like adding another lock on the door to your online accounts. Instead of relying just on a password, it requires an additional step, like a text message to your phone, making it much harder for bad actors to break in and access your sensitive information.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Multi-factor authentication
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1
Official control statement
Multi-factor authentication uses either: something users have and something users know, or something users have that is unlocked by something users know or are.
Why it matters
Without MFA using a device plus PIN/biometric, stolen passwords can allow account takeover, unauthorised access and data compromise.
Operational notes
Maintain MFA that combines a device with a PIN/biometric; review enrolled authenticators, revoke lost devices, and prefer phishing-resistant methods.
Implementation tips
- IT team should enable multi-factor authentication on all systems that contain sensitive data by accessing the security settings of their online service platforms and turning on this feature.
- Security officer should ensure that employees understand how to use multi-factor authentication by providing a clear guide and offering a training session.
- System administrator should deploy multi-factor authentication tools by integrating trusted systems such as authentication apps or security tokens.
- Office manager should collect feedback from employees about any difficulties with multi-factor authentication to address usability issues promptly.
Audit / evidence tips
- AskDoes the organisation use multi-factor authentication for accessing sensitive data?
- GoodThe organisation has enabled multi-factor authentication for all relevant systems, and users demonstrate knowledge of its operation
- AskCan employees describe the multi-factor authentication process they follow?
- GoodEmployees participated in training sessions on multi-factor authentication and can clearly explain the usage process
Cross-framework mappings
How E8-MF-ML1.7 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.5 | E8-MF-ML1.7 mandates a specific secure authentication approach by defining MFA factor combinations (possession plus knowledge/biometrics) | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (10) expand_less | ||
| ISM-0974 | E8-MF-ML1.7 specifies the acceptable construction of MFA using two distinct factors or a device unlocked by knowledge/biometrics | |
| ISM-1173 | E8-MF-ML1.7 sets the requirement for what makes MFA valid by prescribing acceptable factor combinations | |
| ISM-1504 | E8-MF-ML1.7 defines what constitutes acceptable multi-factor authentication by specifying valid factor combinations | |
| ISM-1505 | E8-MF-ML1.7 defines MFA by requiring two factors (have+know, or have unlocked by know/are) | |
| ISM-1546 | E8-MF-ML1.7 requires a specific form of user authentication: MFA with two factors | |
| ISM-1560 | ISM-1560 requires that passwords used as part of multi-factor authentication (MFA) on SECRET systems are at least 8 characters long | |
| ISM-1679 | E8-MF-ML1.7 requires MFA to combine specific factor types (have+know, or have unlocked by know/are) | |
| ISM-1680 | E8-MF-ML1.7 defines acceptable MFA factor combinations (have+know, or have unlocked by know/are) | |
| ISM-1681 | E8-MF-ML1.7 requires MFA to use specific factor combinations (something users have plus something they know, or a device unlocked by know... | |
| ISM-1893 | E8-MF-ML1.7 specifies what constitutes MFA by mandating specific factor combinations | |
| handshake Supports (4) expand_less | ||
| ISM-0553 | ISM-0553 requires authentication and authorisation for all actions on a video conferencing network, including call setup and changing set... | |
| ISM-1872 | ISM-1872 requires the use of phishing-resistant multi-factor authentication for online services | |
| ISM-1919 | E8-MF-ML1.7 requires MFA to use two factors to strengthen authentication | |
| ISM-2011 | E8-MF-ML1.7 defines MFA as using two factors (something you have plus something you know, or possession unlocked by knowledge/biometrics) | |
| link Related (1) expand_less | ||
| ISM-1401 | E8-MF-ML1.7 requires multi-factor authentication to be implemented using two factors: something users have and something users know, or s... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.