Implement Multi-Factor Authentication for Security
Users need to use multiple identification methods to ensure secure access.
Plain language
Multi-factor authentication means using more than just a password to log into your systems. It's like adding an extra lock on your door – it makes it much harder for someone to sneak in. If you don't have this, a hacker could easily guess or steal a password and access your sensitive information, causing disruptions and potentially financial loss.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1, ML2, ML3
Guideline
Guidelines for system hardeningSection
Authentication hardeningOfficial control statement
Multi-factor authentication uses either: something users have and something users know, or something users have that is unlocked by something users know or are.
Why it matters
Without MFA, stolen credentials can grant unauthorised access, enabling account takeover, data breaches and significant business disruption.
Operational notes
Review MFA enrolment and token/app lifecycle, promptly revoke lost factors, and ensure MFA is enforced for remote and privileged access to reduce takeover risk.
Implementation tips
- Business owners should prioritise implementing multi-factor authentication (MFA) by selecting an MFA solution suited for their organisation's needs. Research reputable vendors that offer solutions combining passwords, mobile apps, or biometric confirmation.
- IT teams should enable MFA on all critical systems by setting up the necessary infrastructure. This includes configuring systems to require an additional form of verification like a text message code or a fingerprint scan.
- HR should communicate and train employees about the MFA process to ensure understanding and compliance. Use easy-to-follow guides and conduct training sessions that demonstrate how to set up and use MFA.
- Managers should regularly review and update user access levels and MFA setups. Check in with users to see if any staff have changed roles, ensuring their MFA settings reflect their new responsibilities.
- Procurement teams should ensure any new software or technology considers MFA compatibility. When purchasing or subscribing to services, verify they support MFA capabilities as a selection criterion.
Audit / evidence tips
-
Askthe organisation's multi-factor authentication policy: Review the policy document to ensure it mandates MFA for all critical systems
Goodis a detailed policy that has been recently reviewed and updated
-
Goodis logs showing consistent MFA activities without gaps
-
Askuser training records related to MFA: Review attendance records and materials from training sessions on MFA usage
Goodis up-to-date records showing widespread dissemination and understanding of MFA
-
Aska list of systems with MFA enabled: Review it against inventory records to ensure all critical systems require MFA
Goodis a complete list matching critical systems inventory
-
Goodis a documented process showing responsive and thorough handling of incidents
Cross-framework mappings
How ISM-1401 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (3) expand_less | ||
| sync_alt Partially overlaps (2) expand_less | ||
| handshake Supports (2) expand_less | ||
| extension Depends on (2) expand_less | ||
| link Related (1) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.