Multi-factor authentication used for system access is phishing-resistant
Ensure system login methods resist phishing attacks using multiple authentication factors.
🏛️ Framework
ASD Essential Eight
🧭 Control effect
Preventative
🛠️ E8 mitigation strategy
Multi-factor authentication
🔐 Classifications
N/A
🗓️ Official last update
N/A
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
ML2
Multi-factor authentication used for authenticating users of systems is phishing-resistant.
Source: ASD Essential Eight
Plain language
This control ensures that logging into important systems is more secure by using two or more forms of identification, such as a password and a unique code from an app. This extra step prevents criminals from accessing sensitive information, even if they manage to steal someone’s password.
Why it matters
Without phishing-resistant MFA, attackers can hijack sessions via phishing and bypass OTP/push prompts, gaining unauthorised system access and data exposure.
Operational notes
Use phishing-resistant MFA (FIDO2/WebAuthn passkeys or certificate-based). Disable SMS/OTP where possible and monitor for MFA fatigue and suspicious prompts.
Implementation tips
- Security officer should assess which systems hold or access sensitive information and require multi-factor authentication (MFA) for logging in.
- IT team should ensure all user accounts are enrolled in MFA by integrating an app that provides one-time codes alongside a password.
- System administrator should configure systems to send alerts to users when their account has a new device added for authentication, to catch potential breaches early.
- IT team should regularly update and test the MFA system to make sure it's working correctly and providing effective security against newer phishing methods.
- Security officer should offer training sessions for employees to recognise phishing attempts and understand the importance of MFA.
Audit / evidence tips
-
Ask: Are all users of sensitive systems using multi-factor authentication?
-
Good: The documentation should show MFA is enabled for all users and logs demonstrate it's being consistently utilised
-
Ask: How is phishing resistance ensured in the MFA method?
-
Good: The organisation uses a trusted MFA solution which is resistant to phishing, such as apps generating one-time passwords
Cross-framework mappings
How E8-MF-ML2.5 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 8.5 | E8-MF-ML2.5 requires phishing-resistant MFA for system access as a specific secure authentication outcome | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (2) | ||
| ISM-1401 | ISM-1401 requires implementing MFA using multiple factors (possession plus knowledge, or possession unlocked by knowledge/biometric) | |
| ISM-1894 | E8-MF-ML2.5 requires that MFA used for system access is phishing-resistant | |
| Supports (5) | ||
| ISM-0974 | ISM-0974 mandates MFA for unprivileged users to mitigate account compromise risks | |
| ISM-1173 | ISM-1173 mandates that privileged users authenticate using MFA for system access | |
| ISM-1893 | ISM-1893 requires MFA for users accessing third-party online customer services that process, store or communicate sensitive customer data | |
| ISM-2011 | ISM-2011 requires that when phishing-resistant MFA is used by user accounts, any non-phishing-resistant MFA options are disabled for thos... | |
| ISM-2077 | ISM-2077 requires that organisations do not use email for out-of-band authentication | |
| Related (1) | ||
| ISM-1682 | ISM-1682 requires that multi-factor authentication (MFA) used to authenticate users of systems is phishing-resistant | |