Phishing-resistant multi-factor authentication for online customer services
Use multi-factor authentication that resists phishing for customers accessing online services.
🏛️ Framework
ASD Essential Eight
🧭 Control effect
Preventative
🛠️ E8 mitigation strategy
Multi-factor authentication
🔐 Classifications
N/A
🗓️ Official last update
N/A
✏️ Control Stack last updated
19 Mar 2026
🎯 E8 maturity levels
ML3
Multi-factor authentication used for authenticating customers of online customer services is phishing-resistant.
Source: ASD Essential Eight
Plain language
This control is about making sure that when customers use your online services, they have to pass a stronger security check that can't be easily tricked by scams or fake websites. Without this, criminals could pretend to be your customers and access sensitive information, causing harm to your business and your customers.
Why it matters
Without phishing-resistant MFA, criminals can hijack customer accounts via phishing, enabling fraud, data exposure and reputational harm.
Operational notes
Use phishing-resistant MFA (FIDO2/WebAuthn or passkeys) for customers; disable SMS/OTP where possible and verify redirects and origin binding in login flows.
Implementation tips
- The IT team should implement multi-factor authentication for all online customer services, requiring a second form of verification beyond a password, such as a code sent to a mobile device.
- System administrators need to configure authentication systems to resist phishing attempts by using methods like hardware security keys that cannot be intercepted by attackers.
- The security officer should ensure that training is provided to both staff and customers on how to use phishing-resistant authentication methods effectively.
- IT staff should regularly update the authentication technology and methods to stay ahead of new phishing techniques and cyber threats.
- The risk management team should conduct regular reviews of authentication logs to verify resistance against phishing attacks and ensure that the multi-factor setup is functioning as intended.
Audit / evidence tips
-
Ask: Does the organisation use multi-factor authentication for their online customer services?
-
Good: The system requires a password and a security token, with logs showing consistent usage by customers
-
Ask: Are the authentication methods used resistant to phishing?
-
Good: The system uses app-generated tokens or physical keys that cannot be easily stolen via phishing
-
Ask: How is user training on these methods conducted?
-
Good: Documentation and records show regular user training sessions, with materials explaining phishing-resistant practices
Cross-framework mappings
How E8-MF-ML3.2 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 8.5 | E8-MF-ML3.2 requires phishing-resistant MFA for customers authenticating to online customer services | |
| Supports (1) | ||
| Annex A 5.17 | E8-MF-ML3.2 requires phishing-resistant MFA for customers accessing online customer services | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially meets (3) | ||
| ISM-1546 | E8-MF-ML3.2 requires phishing-resistant MFA for customers of online customer services | |
| ISM-1681 | ISM-1681 requires MFA for customers authenticating to online customer services that handle sensitive customer data | |
| ISM-1682 | E8-MF-ML3.2 requires phishing-resistant MFA specifically for customers of online customer services | |
| Partially overlaps (2) | ||
| ISM-1401 | E8-MF-ML3.2 requires phishing-resistant multi-factor authentication (MFA) for customers using online customer services | |
| ISM-1680 | E8-MF-ML3.2 requires phishing-resistant MFA for authenticating customers of online customer services | |
| Supports (2) | ||
| ISM-2011 | ISM-2011 requires that when phishing-resistant MFA is enabled for a user account, other non-phishing-resistant MFA options are disabled f... | |
| ISM-2077 | E8-MF-ML3.2 requires phishing-resistant MFA for customers accessing online customer services | |
| Related (3) | ||
| ISM-1872 | ISM-1872 requires that multi-factor authentication (MFA) used to authenticate users of online services is phishing-resistant | |
| ISM-1873 | ISM-1873 requires that multi-factor authentication (MFA) for authenticating customers of online customer services provides a phishing-res... | |
| ISM-1874 | ISM-1874 requires that multi-factor authentication used to authenticate customers of online customer services is phishing-resistant | |