Ensure Multi-factor Authentication for Online Services
Use two or more forms of identity verification to access sensitive data online.
Plain language
Multi-factor authentication is like having a double lock on your door. It means that to access your sensitive data online, you need to prove your identity in two or more different ways. This is important because if a hacker gets hold of your password, they still can’t get in without the second piece of evidence, keeping your valuable information safe from prying eyes.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Emails arriving via an external connection where the email source address uses an internal domain, or internal subdomain, are blocked at the email gateway.
Why it matters
Failing to block external emails spoofing internal domains can enable phishing and BEC, leading to credential theft, data breaches, and compromised systems.
Operational notes
Configure the gateway to block inbound external mail using internal domains/subdomains in the From address; review exceptions, and monitor logs for spoof attempts and rule drift.
Implementation tips
- Managers should ensure that their teams understand the importance of multi-factor authentication by organising a simple training session. Explain how this extra step helps protect sensitive information and reassure them that it’s easy to use even if it adds a minute to their login process.
- The IT team should implement multi-factor authentication for all users accessing online services that handle sensitive data. Choose a compatible authentication method such as a mobile app or security token, and make sure it’s user-friendly to encourage compliance.
- System administrators must configure the organisation's platforms to require multi-factor authentication at login. Set this up in the system settings by following the provider’s guidance, which usually includes enabling an option and sending notifications to users to activate it.
- HR should inform new hires about the requirement for multi-factor authentication as part of their onboarding procedure. Provide them with clear instructions on how to set up and use the method chosen by the organisation, ensuring they are comfortable with the process.
- The office manager should regularly remind all staff to check their secondary authentication devices, such as ensuring their phones have adequate battery life, to avoid being locked out unexpectedly. Send out quarterly reminders to maintain awareness and readiness.
Audit / evidence tips
-
Askthe list of users with access to sensitive online services: Request documentation showing which users are required to use multi-factor authentication. Look to ensure all users who access sensitive data are on the list. Good evidence includes an updated list, signed-off by the IT manager, showing multi-factor authentication is enabled for everyone listed
-
Askto see the multi-factor authentication setup instructions provided to staff: Review these documents to check that the instructions are clear and accessible
Goodsign is that the instructions are easy to understand and regularly updated as systems change
-
Askrecords of any training sessions or communications about multi-factor authentication: Examine attendance records or minutes from staff meetings to confirm that the information was properly disseminated
Goodpractice is documented training sessions with feedback forms showing staff understand the process
-
Goodreport includes detailed records showing login attempts and highlights how multi-factor authentication prevented unauthorised access
Cross-framework mappings
How ISM-1502 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
No cross-framework mappings recorded yet.