Multi-factor authentication is used to authenticate users of data repositories
Use multiple verification methods to authorize access to data storage systems.
Plain language
Multi-factor authentication (MFA) is like having two locks on your door instead of one. It protects your important data by making sure that anyone trying to access it has to prove their identity in more than one way, such as knowing a password and having a mobile phone. Without MFA, cybercriminals could more easily gain access to sensitive information, potentially leading to data breaches or financial loss.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Multi-factor authentication
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Official control statement
Multi-factor authentication is used to authenticate users of data repositories.
Why it matters
Without MFA, unauthorised access to data repositories is more likely, increasing exposure of sensitive data and resulting in breaches and reputational damage.
Operational notes
Audit MFA on all data repositories so every access path (admin console, user UI and API/service accounts) enforces MFA, and remediate any exceptions promptly.
Implementation tips
- The IT team should ensure that MFA is enabled on all data repositories. This can be done by configuring the settings in your data management software to require multiple forms of verification for user access.
- The system administrator should regularly update and test the MFA system. They need to verify that each option, like a text to a mobile phone or an authentication app, is working correctly.
- The security officer should train staff on how to use MFA. They should explain how to set up and use their devices for authentication, ensuring everyone understands the process.
- The IT team should integrate a list of approved MFA methods into the organisation's access policies. Use only those methods that meet security standards, such as using authentication apps or security tokens.
- The system administrator should monitor and support users struggling with MFA issues. Set up a helpdesk process to quickly resolve any problems employees might have accessing systems with MFA.
Audit / evidence tips
-
AskDoes the organisation use MFA to protect access to their data repositories?
-
GoodThe organisation has documented evidence showing MFA is configured on all data repositories, and staff has been trained on its use
-
AskHow does the organisation ensure all MFA methods used are resistant to phishing?
-
GoodThe organisation regularly updates its list of approved MFA methods to ensure they are phishing-resistant, with documented testing results available
-
AskAre MFA logs being recorded and analysed?
-
GoodThere are logs showing both types of MFA attempts, which are regularly reviewed by the IT security team
Cross-framework mappings
How E8-MF-ML3.1 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| link Related (1) expand_less | ||
| Annex A 8.5 | Annex A 8.5 requires organisations to implement secure authentication technologies and procedures aligned with access restrictions and th... | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-1504 | E8-MF-ML3.1 requires MFA for users of data repositories | |
| sync_alt Partially overlaps (2) expand_less | ||
| ISM-0974 | E8-MF-ML3.1 requires MFA for users accessing data repositories | |
| ISM-1173 | E8-MF-ML3.1 requires MFA for users of data repositories | |
| handshake Supports (5) expand_less | ||
| ISM-1268 | ISM-1268 requires enforcing need-to-know access within databases using minimum privileges, roles/views, and tokenisation so only authoris... | |
| ISM-1401 | E8-MF-ML3.1 requires MFA to authenticate users of data repositories | |
| ISM-1872 | E8-MF-ML3.1 requires MFA for users of data repositories | |
| ISM-1919 | E8-MF-ML3.1 requires MFA for authenticating users of data repositories | |
| ISM-1920 | E8-MF-ML3.1 requires MFA to authenticate users of data repositories | |
| link Related (2) expand_less | ||
| ISM-1505 | E8-MF-ML3.1 requires multi-factor authentication (MFA) to be used to authenticate users of data repositories | |
| ISM-1894 | ISM-1894 requires that MFA for data repository access is specifically phishing-resistant, setting a stronger quality requirement for the ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.