E8-MF-ML3.1 bolt ASD Essential Eight

Multi-factor authentication is used to authenticate users of data repositories

Use multiple verification methods to authorise access to data storage systems.

Preventative ML3 Essential EightMulti-factor authentication mfa

record_voice_over

Plain language

Multi-factor authentication (MFA) is like having two locks on your door instead of one. It protects your important data by making sure that anyone trying to access it has to prove their identity in more than one way, such as knowing a password and having a mobile phone. Without MFA, cybercriminals could more easily gain access to sensitive information, potentially leading to data breaches or financial loss.

01 - Overview

Framework

ASD Essential Eight

Control effect

Preventative

E8 mitigation strategy

Multi-factor authentication

Classifications

N/A

Official last update

N/A

Control Stack last updated

18 May 2026

E8 maturity levels

ML3

Official control statement

Multi-factor authentication is used to authenticate users of data repositories.

bolt ASD Essential Eight E8-MF-ML3.1

priority_high

Why it matters

Without MFA, unauthorised access to data repositories is more likely, increasing exposure of sensitive data and resulting in breaches and reputational damage.

settings

Operational notes

Audit MFA on all data repositories so every access path (admin console, user UI and API/service accounts) enforces MFA, and remediate any exceptions promptly.

02 - Implement

build

Implementation tips

The IT team should ensure that MFA is enabled on all data repositories. This can be done by configuring the settings in your data management software to require multiple forms of verification for user access.
The system administrator should regularly update and test the MFA system. They need to verify that each option, like a text to a mobile phone or an authentication app, is working correctly.
The security officer should train staff on how to use MFA. They should explain how to set up and use their devices for authentication, ensuring everyone understands the process.
The IT team should integrate a list of approved MFA methods into the organisation's access policies. Use only those methods that meet security standards, such as using authentication apps or security tokens.
The system administrator should monitor and support users struggling with MFA issues. Set up a helpdesk process to quickly resolve any problems employees might have accessing systems with MFA.

03 - Audit

fact_check

Audit / evidence tips

AskDoes the organisation use MFA to protect access to their data repositories?
GoodThe organisation has documented evidence showing MFA is configured on all data repositories, and staff has been trained on its use
AskHow does the organisation ensure all MFA methods used are resistant to phishing?
GoodThe organisation regularly updates its list of approved MFA methods to ensure they are phishing-resistant, with documented testing results available
AskAre MFA logs being recorded and analysed?
GoodThere are logs showing both types of MFA attempts, which are regularly reviewed by the IT security team

04 - Mappings

link

Cross-framework mappings

How E8-MF-ML3.1 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control	Notes	Details
link Related (1) expand_less
Annex A 8.5	Annex A 8.5 requires organisations to implement secure authentication technologies and procedures aligned with access restrictions and th...

ASD ISM

Control	Notes	Details
layers Partially meets (1) expand_less
ISM-1504	E8-MF-ML3.1 requires MFA for users of data repositories
sync_alt Partially overlaps (2) expand_less
ISM-0974	E8-MF-ML3.1 requires MFA for users accessing data repositories
ISM-1173	E8-MF-ML3.1 requires MFA for users of data repositories
handshake Supports (5) expand_less
ISM-1268	ISM-1268 requires enforcing need-to-know access within databases using minimum privileges, roles/views, and tokenisation so only authoris...
ISM-1401	E8-MF-ML3.1 requires MFA to authenticate users of data repositories
ISM-1872	E8-MF-ML3.1 requires MFA for users of data repositories
ISM-1919	E8-MF-ML3.1 requires MFA for authenticating users of data repositories
ISM-1920	E8-MF-ML3.1 requires MFA to authenticate users of data repositories
link Related (2) expand_less
ISM-1505	E8-MF-ML3.1 requires multi-factor authentication (MFA) to be used to authenticate users of data repositories
ISM-1894	ISM-1894 requires that MFA for data repository access is specifically phishing-resistant, setting a stronger quality requirement for the ...

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.