MFA success and failure events are centrally logged
Ensure all successful and failed MFA attempts are logged in one central location.
Plain language
This control is about keeping track of who is trying to get into your systems by logging all successful and unsuccessful attempts to use additional security checks, like codes sent to phones, to access accounts. Without it, a hacker could try many times to break in without anyone noticing, making it easier for them to access sensitive information.
Framework
ASD Essential Eight
Control effect
Detective
E8 mitigation strategy
Multi-factor authentication
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2
Official control statement
Successful and unsuccessful multi-factor authentication events are centrally logged.
Why it matters
If MFA success and failure events aren’t centrally logged, MFA abuse and credential-stuffing activity may be missed, delaying detection and response to account compromise.
Operational notes
Ensure all MFA providers forward success/failure events to a central SIEM, retain logs, and alert on repeated failures, impossible travel, or MFA fatigue prompts across multiple accounts.
Implementation tips
- The IT team should ensure that all systems requiring multi-factor authentication are capable of sending authentication attempts to a central logging system by configuring the correct logging settings on each system.
- A security officer should verify that all logs from multi-factor authentication are routinely being received and stored in a secure, central location, such as a dedicated server or cloud-based log management service, by monitoring the logging system regularly.
- System administrators should configure alerts within the central logging system to notify them of repeated failed authentication attempts, which may indicate a potential security threat, by setting up specific thresholds for alerts.
- The finance manager should ensure that there is a budget allocated for purchasing or subscribing to a reliable log management solution that can handle the volume of data produced by multi-factor logging.
- The security team should regularly review and update log retention policies to ensure that logs are kept for a sufficient period of time to support any investigations into security incidents by consulting compliance requirements or industry best practices.
Audit / evidence tips
- AskCan you describe your process for logging multi-factor authentication events?
- GoodThe organisation has a dedicated log management system that records every multi-factor attempt, with logs stored securely and accessible for audit purposes
- AskHow do you ensure that failed multi-factor authentication attempts are monitored and addressed?
- GoodAlerts are configured to notify the security team about suspicious patterns of failed authentication attempts, which are investigated promptly
Cross-framework mappings
How E8-MF-ML2.6 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.15 | E8-MF-ML2.6 requires organisations to centrally log successful and unsuccessful MFA events | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (5) expand_less | ||
| ISM-0585 | ISM-0585 requires logs to capture date/time and the relevant user or process, plus descriptive and asset context for each event | |
| ISM-1509 | E8-MF-ML2.6 requires that successful and unsuccessful MFA events are centrally logged | |
| ISM-1895 | ISM-1895 requires successful and unsuccessful single-factor authentication events to be centrally logged | |
| ISM-1976 | ISM-1976 requires central logging of security-relevant events on macOS systems | |
| ISM-1977 | ISM-1977 requires security-relevant events for Linux operating systems to be centrally logged | |
| handshake Supports (5) expand_less | ||
| ISM-1504 | ISM-1504 requires MFA to be used for authenticating users to online services handling sensitive data | |
| ISM-1505 | ISM-1505 requires MFA to be used to authenticate users of data repositories | |
| ISM-1892 | ISM-1892 requires MFA to protect access to online customer services handling sensitive customer data | |
| ISM-1893 | ISM-1893 requires the use of MFA for users accessing third-party online customer services that process, store or communicate sensitive cu... | |
| ISM-1894 | ISM-1894 requires phishing-resistant MFA for authenticating users of data repositories | |
| extension Depends on (1) expand_less | ||
| ISM-0580 | E8-MF-ML2.6 requires central logging of MFA success and failure events | |
| link Related (2) expand_less | ||
| ISM-1405 | ISM-1405 requires a centralised event logging facility so authentication and other security-relevant logs can be collected in one location | |
| ISM-1683 | E8-MF-ML2.6 requires organisations to centrally log successful and unsuccessful multi-factor authentication (MFA) events | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.