Use Multi-Factor Authentication for Online Services
Users must use multi-factor authentication for online services handling non-sensitive data.
Plain language
This control is about adding an extra layer of security when logging into online services that handle your organisation's non-sensitive data. Even if your password gets stolen, multi-factor authentication makes it much harder for someone to break into your accounts. Without it, cybercriminals could access your data, impersonate you, or disrupt your operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1, ML2, ML3
Guideline
Guidelines for system hardeningSection
Authentication hardeningOfficial control statement
Multi-factor authentication (where available) is used to authenticate users to third-party online services that process, store or communicate their organisation's non-sensitive data.
Why it matters
Without MFA on third-party online services, stolen passwords can enable unauthorised access, leading to data breaches, fraud and reputational damage.
Operational notes
Ensure MFA is enabled and enforced for all users (especially admins) on each third-party online service; regularly review enrolment, exceptions and access logs.
Implementation tips
- System administrators should identify all online services used by the organisation that store or handle non-sensitive data. Start by listing each service and checking if they offer a multi-factor authentication option in their security settings.
- IT managers should ensure that multi-factor authentication is activated on all applicable online services. Log into the service's account management panel, navigate to security settings, and activate multi-factor authentication using a recommended method, such as a text message or an app.
- Office managers should inform all employees about the importance of multi-factor authentication and guide them through the setup process. Organise a short training session demonstrating how to activate and use multi-factor authentication on their accounts.
- HR should include the use of multi-factor authentication in the organisation’s security policy. Draft a policy document stating that all employees must use multi-factor authentication for accounts that handle organisational data, and distribute this policy to all staff.
- The IT team should regularly audit accounts to ensure compliance with the multi-factor authentication policy. Use the service’s admin dashboard to check which accounts have multi-factor authentication enabled and follow up with users who have not yet activated it.
Audit / evidence tips
- AskThe list of online services used by the organisation GoodIs a complete list with annotations indicating services where multi-factor authentication is available
- GoodIncludes step-by-step instructions or screenshots helping users enable this feature
- AskA copy of the internal security policy document regarding multi-factor authentication GoodIs a document signed by management, distributed to staff, and regularly reviewed
- AskLogs from the admin dashboard of each online service GoodIs evidence showing activation rates above a set threshold or goal
- GoodShows consistent follow-ups and support for staff where needed
Cross-framework mappings
How ISM-1680 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.5 | ISM-1680 requires the specific use of multi-factor authentication (where available) for users accessing third-party online services handl... | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| sync_alt Partially overlaps (4) expand_less | ||
| handshake Supports (1) expand_less | ||
| link Related (1) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.