Use multi-factor authentication for unprivileged user access
Require additional authentication methods for regular system users.
🏛️ Framework
ASD Essential Eight
🧭 Control effect
Preventative
🛠️ E8 mitigation strategy
Multi-factor authentication
🔐 Classifications
N/A
🗓️ Official last update
N/A
✏️ Control Stack last updated
19 Mar 2026
🎯 E8 maturity levels
ML2
Multi-factor authentication is used to authenticate unprivileged users of systems.
Source: ASD Essential Eight
Plain language
This control is about requiring more than just a password to access your systems. It's like adding an extra lock to your door. It makes it much harder for someone to break in and steal valuable information, even if they guess your password.
Why it matters
Without MFA for unprivileged users, stolen passwords enable unauthorised access, increasing the risk of data theft and serving as a foothold for lateral movement.
Operational notes
Regularly review user enrolment and exclusions to maintain full MFA coverage for unprivileged users, and assess MFA method strength (e.g. phishing-resistant) as threats evolve.
Implementation tips
- The IT team should enable two-factor authentication for all user accounts. This means setting up a mobile app that generates codes or sending codes via text message each time someone logs in.
- System administrators need to ensure that the software used supports multi-factor authentication. Begin by checking system settings and enabling the multi-factor option provided.
- The security officer should educate staff about the importance of using multi-factor authentication. Conduct workshops to show how to set up and use the authentication methods.
- IT staff should regularly verify that the multi-factor authentication system is working correctly. This involves simulating login attempts and making sure the second step is always prompted.
- System administrators should configure alerts for failed multi-factor authentication attempts. Set up the system to notify administrators of suspicious activity.
Audit / evidence tips
-
Ask: How are users authenticated when accessing the system?
-
Good: Logs show that users are consistently using two methods to authenticate, like a password plus a code from their phone
-
Ask: Are all sensitive data systems covered by multi-factor authentication?
-
Good: A documented list shows all key systems with both password and secondary checks in place
Cross-framework mappings
How E8-MF-ML2.2 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 8.5 | E8-MF-ML2.2 specifically requires MFA for unprivileged users accessing systems | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (3) | ||
| ISM-1505 | E8-MF-ML2.2 requires MFA to authenticate unprivileged users of systems | |
| ISM-1682 | E8-MF-ML2.2 requires multi-factor authentication (MFA) to authenticate unprivileged users of systems | |
| ISM-1893 | ISM-1893 requires MFA for users accessing third-party online customer services that handle sensitive customer data | |
| Supports (3) | ||
| ISM-0553 | ISM-0553 requires authentication and authorisation for all actions on a video conferencing network, including call setup and changing set... | |
| ISM-1401 | E8-MF-ML2.2 requires MFA for unprivileged users to access systems | |
| ISM-2077 | E8-MF-ML2.2 requires MFA to authenticate unprivileged users of systems | |
| Related (1) | ||
| ISM-0974 | E8-MF-ML2.2 requires multi-factor authentication to authenticate unprivileged users of systems | |