Multi-factor authentication used for system access is phishing-resistant
Ensure system login methods resist phishing attacks using multiple authentication factors.
Plain language
This control ensures that logging into important systems is more secure by using two or more forms of identification, such as a password and a unique code from an app. This extra step prevents criminals from accessing sensitive information, even if they manage to steal someone’s password.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Multi-factor authentication
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2
Official control statement
Multi-factor authentication used for authenticating users of systems is phishing-resistant.
Why it matters
Without phishing-resistant MFA, attackers can hijack sessions via phishing and bypass OTP/push prompts, gaining unauthorised system access and data exposure.
Operational notes
Use phishing-resistant MFA (FIDO2/WebAuthn passkeys or certificate-based). Disable SMS/OTP where possible and monitor for MFA fatigue and suspicious prompts.
Implementation tips
- Security officer should assess which systems hold or access sensitive information and require multi-factor authentication (MFA) for logging in.
- IT team should ensure all user accounts are enrolled in MFA by integrating an app that provides one-time codes alongside a password.
- System administrator should configure systems to send alerts to users when their account has a new device added for authentication, to catch potential breaches early.
- IT team should regularly update and test the MFA system to make sure it's working correctly and providing effective security against newer phishing methods.
- Security officer should offer training sessions for employees to recognise phishing attempts and understand the importance of MFA.
Audit / evidence tips
- AskAre all users of sensitive systems using multi-factor authentication?
- GoodThe documentation should show MFA is enabled for all users and logs demonstrate it's being consistently utilised
- AskHow is phishing resistance ensured in the MFA method?
- GoodThe organisation uses a trusted MFA solution which is resistant to phishing, such as apps generating one-time passwords
Cross-framework mappings
How E8-MF-ML2.5 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.5 | E8-MF-ML2.5 requires phishing-resistant MFA for system access as a specific secure authentication outcome | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-1401 | E8-MF-ML2.5 requires MFA for system access to be phishing-resistant, focusing on resistance to credential phishing and replay | |
| sync_alt Partially overlaps (4) expand_less | ||
| ISM-1173 | E8-MF-ML2.5 requires that MFA for system access is phishing-resistant regardless of user type | |
| ISM-1505 | E8-MF-ML2.5 requires that MFA used for system access is phishing-resistant | |
| ISM-1680 | E8-MF-ML2.5 requires phishing-resistant MFA for authenticating users of systems | |
| ISM-1894 | E8-MF-ML2.5 requires that MFA used for system access is phishing-resistant | |
| handshake Supports (4) expand_less | ||
| ISM-0974 | ISM-0974 mandates MFA for unprivileged users to mitigate account compromise risks | |
| ISM-1893 | ISM-1893 requires MFA for users accessing third-party online customer services that process, store or communicate sensitive customer data | |
| ISM-2011 | ISM-2011 requires that when phishing-resistant MFA is used by user accounts, any non-phishing-resistant MFA options are disabled for thos... | |
| ISM-2077 | ISM-2077 requires that organisations do not use email for out-of-band authentication | |
| link Related (1) expand_less | ||
| ISM-1682 | E8-MF-ML2.5 requires that multi-factor authentication (MFA) used for system access is phishing-resistant | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.