Multi-factor authentication online services must be phishing-resistant
Ensure two-factor authentication can't be bypassed by phishing attacks.
🏛️ Framework
ASD Essential Eight
🧭 Control effect
Preventative
🛠️ E8 mitigation strategy
Multi-factor authentication
🔐 Classifications
N/A
🗓️ Official last update
N/A
✏️ Control Stack last updated
19 Mar 2026
🎯 E8 maturity levels
ML2
Multi-factor authentication used for authenticating users of online services is phishing-resistant.
Source: ASD Essential Eight
Plain language
This control is about ensuring that when people log into online services, they have to use a multi-step process to verify their identity that can't be easily tricked by phishing scams. Without this, cybercriminals might fool someone into giving away their login details, and then use that information to access sensitive business data.
Why it matters
Without phishing-resistant MFA, attackers can exploit credential phishing, leading to unauthorised access and data breaches.
Operational notes
Deploy and test phishing-resistant MFA (FIDO2/WebAuthn or passkeys); block SMS/OTP for online services to reduce credential-phishing replay.
Implementation tips
- IT team should ensure multi-factor authentication (MFA) is enabled for all online services handling sensitive data by setting up systems that require a second step, like a code sent to a phone.
- Security officer needs to choose an MFA method that is phishing-resistant, such as using hardware tokens or mobile apps that generate a one-time password, to ensure effective security.
- System administrators should regularly test the MFA setup by simulating phishing attempts to see if the systems can be bypassed or not, ensuring robustness.
- IT team should train all users on recognising phishing attempts and ensure they understand the importance of the second authentication step to avoid sharing sensitive information.
Audit / evidence tips
-
Ask: How does your organisation ensure that MFA is phishing-resistant for online services?
-
Good: MFA is configured using a recognised phishing-resistant method such as hardware tokens, and regular tests confirm its effectiveness
-
Ask: What methods are in place to educate users about phishing threats and MFA use?
-
Good: Regular training sessions and updates are provided to users, and records show consistent participation
Cross-framework mappings
How E8-MF-ML2.3 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 8.5 | E8-MF-ML2.3 requires a specific authentication outcome: MFA for online services must be phishing-resistant | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (3) | ||
| ISM-0555 | ISM-0555 requires authentication and authorisation for all actions on an IP telephony network (e.g | |
| ISM-1874 | E8-MF-ML2.3 requires phishing-resistant MFA for users authenticating to online services | |
| ISM-1894 | E8-MF-ML2.3 requires phishing-resistant MFA for authenticating users of online services | |
| Supports (7) | ||
| ISM-1504 | ISM-1504 requires MFA for users authenticating to online services that process, store or communicate sensitive data | |
| ISM-1680 | ISM-1680 requires organisations to use multi-factor authentication (where available) for users accessing third-party online services hand... | |
| ISM-1893 | ISM-1893 requires MFA for users authenticating to third-party online customer services that process, store or communicate the organisatio... | |
| ISM-1919 | E8-MF-ML2.3 requires phishing-resistant MFA for online services to prevent phishing-based bypass of authentication | |
| ISM-1920 | E8-MF-ML2.3 requires organisations to use phishing-resistant MFA for users of online services to prevent credential interception and repl... | |
| ISM-2011 | ISM-2011 requires that where a user account uses phishing-resistant MFA, any weaker, non-phishing-resistant MFA options are disabled for ... | |
| ISM-2077 | ISM-2077 requires that email is not used as an out-of-band authentication channel | |
| Related (2) | ||
| ISM-1682 | E8-MF-ML2.3 requires phishing-resistant multi-factor authentication (MFA) specifically for users authenticating to online services | |
| ISM-1872 | E8-MF-ML2.3 requires that MFA used for authenticating users of online services is phishing-resistant | |