Use Multi-factor Authentication for Third-party Services
Use multiple verification steps for accessing external services with sensitive data.
Plain language
Using more than one check to log into services that handle your sensitive data is called multi-factor authentication. It matters because it makes it much harder for someone to break into your accounts and steal your important information, especially if they manage to get hold of your password.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1, ML2, ML3
Guideline
Guidelines for system hardeningSection
Authentication hardeningOfficial control statement
Multi-factor authentication is used to authenticate users to third-party online services that process, store or communicate their organisation's sensitive data.
Why it matters
Without multi-factor authentication, unauthorised access to third-party services could expose sensitive data and enable compromise or espionage.
Operational notes
Regularly verify MFA is enforced for all third-party accounts, and reassess supported factors after vendor changes to address new threats.
Implementation tips
- IT Team should identify all third-party services that store or process sensitive data and ensure multi-factor authentication is enabled. Start by listing out all external tools and checking their settings to ensure they offer an option for multi-factor authentication.
- The Office Manager should work with the IT team to educate all staff on using multi-factor authentication. Secure time for a brief training session where employees are shown how to use authentication apps or receive OTP (one-time passwords) via text.
- System Owners should review user access to third-party services regularly. Schedule quarterly checks to confirm that all users accessing these services with sensitive data are using multi-factor authentication.
- Procurement should check with vendors if multi-factor authentication is supported during the purchasing process of new tools. Before signing a contract, ask vendors to confirm the feature via email or in writing and keep a record of their response.
- HR should include multi-factor authentication usage as part of onboarding and offboarding checklist. When a new employee starts, ensure they understand how to set it up, and when an employee leaves, ensure their access, including authentication factors, is revoked.
Audit / evidence tips
- AskA list of third-party services used by the organisation: Request evidence of all external services the company uses that handle sensitive information GoodA complete list with each service marked as having active multi-factor authentication
- GoodIncludes recent presentation slides or recorded sessions indicating employee awareness activities
- AskEvidence of recent access reviews: Request the outcome reports from the last few checks ensuring only authorised users have access with multi-factor authentication enabled GoodIs a schedule of regular reviews with verified entries for all current users
- GoodIs written confirmation from vendors (such as emails) that the service supports multi-factor authentication
- AskThe HR department's procedural documents that specifically mention multi-factor authentication setup and revocation GoodIncludes documentation that demonstrates mandatory multi-factor authentication processes for new and departing staff
Cross-framework mappings
How ISM-1679 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.5 | ISM-1679 specifically requires MFA for users authenticating to third-party online services that process, store, or communicate the organi... | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| E8-MF-ML1.1 | E8-MF-ML1.1 requires MFA for users authenticating to the organisation’s online services that handle sensitive organisational data | |
| E8-MF-ML1.5 | E8-MF-ML1.5 requires multi-factor authentication (MFA) for users accessing third-party online customer services handling sensitive custom... | |
| E8-MF-ML1.7 | E8-MF-ML1.7 requires MFA to combine two factors (possession plus knowledge/biometric unlock) | |
| link Related (1) expand_less | ||
| E8-MF-ML1.2 | ISM-1679 requires multi-factor authentication (MFA) to be used when authenticating users to third-party online services that process, sto... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.