Secure Two-Way Authentication for Video Calls
Video calls must use secure two-way authentication to ensure calls are encrypted and cannot be reused.
Plain language
This control is about making sure that your video calls are extra secure by using a method that checks both sides before letting the call begin, and it ensures that these calls can’t be tampered with or listened to by anyone else. This is important because if you don’t secure your video calls, sensitive information you share could be stolen or misused, putting your business or personal conversations at risk.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2018
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for communications systemsOfficial control statement
An encrypted and non-replayable two-way authentication scheme is used for call authentication and authorisation.
Why it matters
Without secure two-way authentication, attackers can spoof participants or replay call setup messages, exposing sensitive business or personal information during video calls.
Operational notes
Regularly test mutual authentication on video calls and validate anti-replay protections (nonces/timestamps) to ensure call setup messages cannot be reused or spoofed.
Implementation tips
- The IT team should set up secure video call software that supports two-way authentication. This means both callers must confirm their identity before the call starts. The IT team can implement this by choosing video conferencing tools with strong security features and configuring them to require user verification each time a call is initiated.
- System owners should work with the IT team to ensure call encryption is enabled. This involves checking the settings in your video call software to make sure encryption is turned on, which protects the content of your calls from being accessed by unauthorized parties.
- Managers need to communicate the importance of secure video calls to their team members. They can do this by organizing brief training sessions that explain how and why to use two-way authentication and encryption for every business call.
- The HR department should incorporate secure communication practices into the employee handbook. This can include guidelines on using video conferencing safely, such as not sharing passwords and ensuring devices are protected with strong, unique passwords.
- Procurement should assess and select video conferencing services that comply with Australian security standards, such as those recommended by the Australian Cyber Security Centre (ACSC). They can do this by reviewing product specifications and opting for services with strong security credentials verified by reliable agencies.
Audit / evidence tips
-
Askdocumentation of the video conferencing tools being used: Request a list of software tools approved for secure video calls within the organization
Goodlist will only include software that supports secure authentication and encryption standards
-
Askto see the configuration settings of the video call software: Request access to the configuration or security settings of the video conferencing tool
Goodresult is settings that confirm these security measures are in place for every call
-
Askrecords of employee training on secure communication: Request documents or logs showing when employees were last trained on using secure video calling practices
Goodwould be records of regular training sessions and updates
-
Aska policy document on video call security: Request the organization's policy that outlines requirements for secure video calls
-
Asklogs of video call usages: Request logs that might record when and how video calls are conducted using authenticated and encrypted methods as part of regular checks
Goodlog will show consistent adherence to two-way authentication and encryption usage
Cross-framework mappings
How ISM-0554 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.5 | ISM-0554 requires an encrypted and non-replayable two-way authentication scheme specifically for video call authentication and authorisation | |
| handshake Supports (2) expand_less | ||
| Annex A 5.17 | ISM-0554 requires secure two-way (mutual) authentication for video calls that is encrypted and non-replayable to ensure call authenticati... | |
| Annex A 8.24 | ISM-0554 requires video call authentication to use encrypted, non-replayable two-way authentication, which relies on strong cryptographic... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.