Mandating Multi-Factor Authentication for Customer Services
Customers must use multi-factor authentication when accessing sensitive online services.
Plain language
This control requires using more than just a password to access online services that handle sensitive data. It's essential because passwords can be easily stolen or guessed, which can lead to unauthorised access to customer information and potential financial and reputational losses.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1, ML2, ML3
Guideline
Guidelines for system hardeningSection
Authentication hardeningOfficial control statement
Multi-factor authentication is used to authenticate customers to online customer services that process, store or communicate sensitive customer data.
Why it matters
Without MFA, customer logins can be compromised via password theft and credential stuffing, exposing sensitive customer data and damaging trust.
Operational notes
Enforce MFA for all customer logins to services handling sensitive data; monitor auth failures for stuffing, and periodically review MFA method strength and enrolment coverage.
Implementation tips
- Business owners should instruct their IT team to set up multi-factor authentication for all customer-facing platforms. This means combining a password with another factor like a code sent to a mobile phone.
- Managers need to ensure that customers are informed about the multi-factor authentication process. They can do this by updating user guides and sending out communications that explain the additional authentication step.
- The IT team should regularly test the multi-factor authentication setup to ensure it works correctly. They can perform periodic checks by simulating user logins and going through the authentication steps.
- Customer service representatives should be trained to assist customers who may encounter issues with multi-factor authentication. This can be done by creating FAQ documents and holding training sessions.
- Business owners should contact their platform vendors to confirm if multi-factor authentication features are available. They can ask for setup support and ongoing technical assistance if needed.
Audit / evidence tips
- AskThe multi-factor authentication configuration documents GoodIncludes current settings and instructions on how customers use these methods
- AskCommunication records sent to customers about the authentication change. Review emails, letters or website updates for clarity and accuracy in explaining the change. Good practice includes clearly dated and reader-friendly materials
- AskTo see vendor contracts or support agreements for the authentication systems
Cross-framework mappings
How ISM-1681 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.5 | ISM-1681 requires MFA for customers authenticating to online customer services that handle sensitive customer data | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| sync_alt Partially overlaps (4) expand_less | ||
| link Related (1) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.