Use Passwords When Multi-Factor Authentication Isn't Supported
If systems can't use multi-factor authentication, they should use passwords for single-factor authentication.
Plain language
There are times when certain systems can't use stronger security measures like multi-factor authentication (MFA), which usually involves a second step like a text message code, to protect access. In such cases, we rely on passwords alone. It's crucial to ensure these passwords are strong and well-managed because, without good password practices, there is a greater risk of unauthorised access to sensitive information.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2025
Control Stack last updated
18 May 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Authentication hardeningOfficial control statement
When systems cannot support multi-factor authentication, single-factor authentication using passwords is implemented instead.
Why it matters
If MFA is unavailable and strong password-only authentication is not enforced, attackers can gain unauthorised access and expose sensitive information.
Operational notes
Where MFA cannot be used, enforce strong password-only authentication: length/complexity, deny common passwords, and set lockout/rate-limits to reduce guessing.
Implementation tips
- System owners should assess if any system cannot support multi-factor authentication. To do this, check system specifications or consult with the vendor to clarify if MFA can be enabled.
- IT teams should enforce strong password policies for systems limited to passwords only. This includes setting rules about password length, complexity, and regular updates.
- Office managers or HR personnel should conduct regular training sessions on creating and maintaining strong passwords. This will help ensure employees understand the importance of password security.
- Procurement teams should be involved when acquiring new systems. They need to confirm during the purchase process if the system supports multi-factor authentication, avoiding systems that only allow password protection unless absolutely necessary.
- The IT team should implement a password management tool to help users securely store and manage their passwords. Select a tool that securely encrypts passwords and is user-friendly to encourage its use.
Audit / evidence tips
- AskThe list of systems without multi-factor authentication capability GoodIncludes a complete record with evidence these systems were assessed for MFA support
- GoodShows all users must use strong passwords, with clear rules that are easy to understand
- AskEmployees if they received training on password creation and management GoodIs that they recall attending training and describe the key points emphasised regarding password security
- GoodIs that users can demonstrate the tool's use and discuss its features, reflecting its integration into daily routines
- GoodIncludes evidence of acceptance criteria mandating MFA or reasons documented why exceptions were made
Cross-framework mappings
How ISM-0417 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.17 | ISM-0417 requires that where systems cannot support multi-factor authentication, organisations implement single-factor authentication usi... | |
| Annex A 8.5 | ISM-0417 specifies a particular authentication fallback: if MFA is not supported, use passwords for single-factor authentication | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| E8-MF-ML1.3 | E8-MF-ML1.3 requires MFA (where available) for authenticating users to third-party online services that process, store or communicate non... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.