Phishing-resistant multi-factor authentication for data repositories
Use secure multi-factor authentication methods to protect data repositories against phishing attacks.
Plain language
This control is about making sure that when people access data stored in digital libraries or storage areas, they use a secure form of sign-in that can't be easily tricked by fake requests for their information. Without this, someone could pretend to be them and access sensitive or important data, causing harm or leading to data breaches.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Multi-factor authentication
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Official control statement
Multi-factor authentication used for authenticating users of data repositories is phishing-resistant.
Why it matters
Without phishing-resistant MFA for data repositories, attackers can phish credentials and MFA prompts to access sensitive data and exfiltrate it.
Operational notes
Enforce phishing-resistant MFA (FIDO2/WebAuthn or client certificates) for repository access, disable SMS/OTP, and monitor for repeated MFA prompts and device re-registrations.
Implementation tips
- Security Officer: Ensure that all data repositories require multi-factor authentication (MFA) that can resist phishing attempts. Implement systems that ask for both a password and a security token, such as an app-generated code.
- IT Team: Test the current MFA methods in place for data repositories and upgrade to options that are not susceptible to phishing, like app-based or biometric authentication, by following vendor setup guides.
- System Administrator: Regularly check and update the authentication systems to ensure they are using the latest methods for resisting phishing, by reviewing vendor updates and applying patches.
- Training Officer: Educate all staff about recognising and avoiding phishing attempts that target MFA, using simple training sessions or workshops, exemplifying real-world scenarios.
Audit / evidence tips
-
AskDoes the organisation use phishing-resistant multi-factor authentication for accessing data repositories?
-
GoodThe organisation uses both a password and a secure token or biometric feature for authentication, and has documented records of its implementation and updates
-
AskHow are MFA failures logged and reviewed?
-
GoodAll authentication attempts are logged, and unsuccessful attempts are reviewed regularly to identify security weaknesses
Cross-framework mappings
How E8-MF-ML3.3 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.17 | E8-MF-ML3.3 requires phishing-resistant MFA for accessing data repositories | |
| Annex A 8.5 | E8-MF-ML3.3 requires a specific control: phishing-resistant MFA for users of data repositories | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| ISM-1505 | E8-MF-ML3.3 requires phishing-resistant MFA for authenticating users of data repositories | |
| ISM-1682 | E8-MF-ML3.3 requires phishing-resistant MFA specifically for user access to data repositories | |
| sync_alt Partially overlaps (1) expand_less | ||
| ISM-1504 | ISM-1504 requires MFA for user access to the organisation’s online services that handle sensitive data | |
| handshake Supports (2) expand_less | ||
| ISM-2011 | E8-MF-ML3.3 requires that MFA for data repository access is phishing-resistant | |
| ISM-2077 | E8-MF-ML3.3 requires phishing-resistant MFA to protect access to data repositories from phishing attacks | |
| link Related (1) expand_less | ||
| ISM-1894 | E8-MF-ML3.3 requires that multi-factor authentication (MFA) used to access data repositories is specifically phishing-resistant | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.