Use multi-factor authentication for unprivileged user access
Require additional authentication methods for regular system users.
Plain language
This control is about requiring more than just a password to access your systems. It's like adding an extra lock to your door. It makes it much harder for someone to break in and steal valuable information, even if they guess your password.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Multi-factor authentication
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2
Official control statement
Multi-factor authentication is used to authenticate unprivileged users of systems.
Why it matters
Without MFA for unprivileged users, stolen passwords enable unauthorised access, increasing the risk of data theft and serving as a foothold for lateral movement.
Operational notes
Regularly review user enrolment and exclusions to maintain full MFA coverage for unprivileged users, and assess MFA method strength (e.g. phishing-resistant) as threats evolve.
Implementation tips
- The IT team should enable two-factor authentication for all user accounts. This means setting up a mobile app that generates codes or sending codes via text message each time someone logs in.
- System administrators need to ensure that the software used supports multi-factor authentication. Begin by checking system settings and enabling the multi-factor option provided.
- The security officer should educate staff about the importance of using multi-factor authentication. Conduct workshops to show how to set up and use the authentication methods.
- IT staff should regularly verify that the multi-factor authentication system is working correctly. This involves simulating login attempts and making sure the second step is always prompted.
- System administrators should configure alerts for failed multi-factor authentication attempts. Set up the system to notify administrators of suspicious activity.
Audit / evidence tips
- AskHow are users authenticated when accessing the system?
- GoodLogs show that users are consistently using two methods to authenticate, like a password plus a code from their phone
- AskAre all sensitive data systems covered by multi-factor authentication?
- GoodA documented list shows all key systems with both password and secondary checks in place
Cross-framework mappings
How E8-MF-ML2.2 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.5 | E8-MF-ML2.2 specifically requires MFA for unprivileged users accessing systems | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| ISM-1505 | E8-MF-ML2.2 requires MFA to authenticate unprivileged users of systems | |
| ISM-1682 | E8-MF-ML2.2 requires multi-factor authentication (MFA) to authenticate unprivileged users of systems | |
| ISM-1893 | ISM-1893 requires MFA for users accessing third-party online customer services that handle sensitive customer data | |
| handshake Supports (3) expand_less | ||
| ISM-0553 | ISM-0553 requires authentication and authorisation for all actions on a video conferencing network, including call setup and changing set... | |
| ISM-1401 | E8-MF-ML2.2 requires MFA for unprivileged users to access systems | |
| ISM-2077 | E8-MF-ML2.2 requires MFA to authenticate unprivileged users of systems | |
| link Related (1) expand_less | ||
| ISM-0974 | E8-MF-ML2.2 requires multi-factor authentication to authenticate unprivileged users of systems | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.