Phishing-resistant multi-factor authentication for online customer services
Use multi-factor authentication that resists phishing for customers accessing online services.
Plain language
This control is about making sure that when customers use your online services, they have to pass a stronger security check that can't be easily tricked by scams or fake websites. Without this, criminals could pretend to be your customers and access sensitive information, causing harm to your business and your customers.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Multi-factor authentication
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Official control statement
Multi-factor authentication used for authenticating customers of online customer services is phishing-resistant.
Why it matters
Without phishing-resistant MFA, criminals can hijack customer accounts via phishing, enabling fraud, data exposure and reputational harm.
Operational notes
Use phishing-resistant MFA (FIDO2/WebAuthn or passkeys) for customers; disable SMS/OTP where possible and verify redirects and origin binding in login flows.
Implementation tips
- The IT team should implement multi-factor authentication for all online customer services, requiring a second form of verification beyond a password, such as a code sent to a mobile device.
- System administrators need to configure authentication systems to resist phishing attempts by using methods like hardware security keys that cannot be intercepted by attackers.
- The security officer should ensure that training is provided to both staff and customers on how to use phishing-resistant authentication methods effectively.
- IT staff should regularly update the authentication technology and methods to stay ahead of new phishing techniques and cyber threats.
- The risk management team should conduct regular reviews of authentication logs to verify resistance against phishing attacks and ensure that the multi-factor setup is functioning as intended.
Audit / evidence tips
-
AskDoes the organisation use multi-factor authentication for their online customer services?
-
GoodThe system requires a password and a security token, with logs showing consistent usage by customers
-
AskAre the authentication methods used resistant to phishing?
-
GoodThe system uses app-generated tokens or physical keys that cannot be easily stolen via phishing
-
AskHow is user training on these methods conducted?
-
GoodDocumentation and records show regular user training sessions, with materials explaining phishing-resistant practices
Cross-framework mappings
How E8-MF-ML3.2 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.5 | E8-MF-ML3.2 requires phishing-resistant MFA for customers authenticating to online customer services | |
| handshake Supports (1) expand_less | ||
| Annex A 5.17 | E8-MF-ML3.2 requires phishing-resistant MFA for customers accessing online customer services | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (3) expand_less | ||
| ISM-1546 | E8-MF-ML3.2 requires phishing-resistant MFA for customers of online customer services | |
| ISM-1681 | ISM-1681 requires MFA for customers authenticating to online customer services that handle sensitive customer data | |
| ISM-1682 | E8-MF-ML3.2 requires phishing-resistant MFA specifically for customers of online customer services | |
| sync_alt Partially overlaps (2) expand_less | ||
| ISM-1401 | E8-MF-ML3.2 requires phishing-resistant multi-factor authentication (MFA) for customers using online customer services | |
| ISM-1680 | E8-MF-ML3.2 requires phishing-resistant MFA for authenticating customers of online customer services | |
| handshake Supports (2) expand_less | ||
| ISM-2011 | ISM-2011 requires that when phishing-resistant MFA is enabled for a user account, other non-phishing-resistant MFA options are disabled f... | |
| ISM-2077 | E8-MF-ML3.2 requires phishing-resistant MFA for customers accessing online customer services | |
| link Related (3) expand_less | ||
| ISM-1872 | ISM-1872 requires that multi-factor authentication (MFA) used to authenticate users of online services is phishing-resistant | |
| ISM-1873 | ISM-1873 requires that multi-factor authentication (MFA) for authenticating customers of online customer services provides a phishing-res... | |
| ISM-1874 | ISM-1874 requires that multi-factor authentication used to authenticate customers of online customer services is phishing-resistant | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.