Implement Multi-factor Authentication for User Access
Unprivileged system users must use multi-factor authentication to log in to enhance security.
Plain language
Using multiple ways to verify your identity, like a password and a code sent to your phone, adds an extra layer of security when logging into systems. This matters because if someone steals your password, they still can't get in without that second piece of verification, helping to protect your information from cyber criminals.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2, ML3
Guideline
Guidelines for system hardeningSection
Authentication hardeningOfficial control statement
Multi-factor authentication is used to authenticate unprivileged users of systems.
Why it matters
Without MFA, stolen credentials can enable unauthorised access, increasing the likelihood of account takeover and sensitive data compromise.
Operational notes
Enforce MFA enrolment for all unprivileged users, review exclusions, and regularly audit accounts to confirm MFA remains enabled and effective.
Implementation tips
- Owners of systems should ensure that login processes for unprivileged accounts require more than just a password. This involves setting up multi-factor authentication through the system settings, where users are prompted to enter a verification code sent to their mobile phone after entering their password.
- The IT team should enable multi-factor authentication on all platforms used by the organisation. Start by identifying which systems and applications are accessed by unprivileged users, then follow the platform guidelines to activate multi-factor authentication, providing users with instructions on how to register their devices.
- Managers should communicate the importance of multi-factor authentication to their teams. This can be done by holding a brief training session or sending an informative email explaining how it works and why it is crucial for protecting the organisation's data.
- System administrators must regularly update the authentication methods available to users. This involves checking for updates from software vendors and ensuring that the latest and most secure authentication options are applied.
- Human resource managers should integrate multi-factor authentication requirements into new employee onboarding. This can include providing documentation on how to set up their authentication and ensuring their devices are registered before granting full access to systems.
Audit / evidence tips
- AskA list of all systems where multi-factor authentication is enforced GoodIncludes all systems accessed by unprivileged users and shows compliance with multi-factor authentication
- GoodIs logs showing failed logins without secondary verification and successful logins with it
- AskPolicies or documentation detailing how multi-factor authentication is set up for new and existing users GoodIncludes a comprehensive guide that is easy for users to follow
- GoodHas clear and frequent communication materials
- AskReports on multi-factor authentication compliance rates among users GoodShows that a majority of users are complying and that there are plans to address compliance gaps
Cross-framework mappings
How ISM-0974 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.5 | ISM-0974 requires MFA for unprivileged users accessing systems as a specific authentication mechanism | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| E8-MF-ML1.7 | E8-MF-ML1.7 specifies the acceptable construction of MFA using two distinct factors or a device unlocked by knowledge/biometrics | |
| sync_alt Partially overlaps (2) expand_less | ||
| E8-MF-ML1.5 | E8-MF-ML1.5 mandates MFA for access to third-party online customer services with sensitive data | |
| E8-MF-ML3.1 | E8-MF-ML3.1 requires MFA for users accessing data repositories | |
| handshake Supports (1) expand_less | ||
| E8-MF-ML2.5 | ISM-0974 mandates MFA for unprivileged users to mitigate account compromise risks | |
| link Related (1) expand_less | ||
| E8-MF-ML2.2 | E8-MF-ML2.2 requires multi-factor authentication to authenticate unprivileged users of systems | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.