Enhance User Security with Phishing-resistant MFA
Multi-factor authentication protects systems by not relying solely on passwords, reducing phishing risks.
Plain language
Phishing-resistant multi-factor authentication is about adding extra layers of security to prevent unauthorised access to systems, especially from deceptive attacks like phishing, where someone tricks you into giving away your login details. This is crucial because if systems are only protected by passwords, which can be easily stolen, there's a higher risk of data breaches and loss of important information.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2, ML3
Guideline
Guidelines for system hardeningSection
Authentication hardeningOfficial control statement
Multi-factor authentication used for authenticating users of systems is phishing-resistant.
Why it matters
Without phishing-resistant MFA, attackers can exploit MFA fatigue, intercept OTPs, or use real-time phishing to access sensitive systems.
Operational notes
Use FIDO2/WebAuthn (passkeys or security keys) for sign-in. Disable SMS/OTP fallbacks and require phishing-resistant methods for all users.
Implementation tips
- System owners should choose a multi-factor authentication system that uses methods difficult for attackers to mimic, like physical tokens or biometric checks. This can be done by researching options that integrate easily with existing systems and provide a combination of security measures that are widely recognised as robust.
- IT teams should update existing systems to support phishing-resistant authentication by integrating chosen multi-factor solutions across all access points. This involves updating software settings and ensuring that all employees are aware and trained on the new access procedure.
- The HR or training department should organise staff training sessions to educate employees about the importance of multi-factor authentication and how it works. Use clear examples of phishing attempts and emphasise the behaviour changes needed to follow the new login processes.
- Managers should implement regular checks and drills to ensure multi-factor authentication is used correctly and consistently by everyone in the organisation. Set up a schedule for periodic reviews to keep everyone engaged and informed about any updates or challenges.
- Procurement teams should ensure any new software or systems purchased are compatible with the organisation’s multi-factor authentication setup. This includes checking with vendors for compatibility and negotiating for additional support or training if needed.
Audit / evidence tips
-
Askthe policy document that outlines multi-factor authentication requirements
Goodincludes detailed sections on authentication methods and steps to handle potential security breaches
-
Goodis a comprehensive training plan that is regularly updated
-
Askrecords of system updates to support multi-factor authentication
Goodshows a timeline of updates and specific actions taken to enhance security measures
-
Goodis a structured record indicating regular assessments and improvements
-
Askvendor contracts that specify multi-factor authentication compatibility for any purchased systems or software. Examine terms that highlight the vendor’s obligations to support phishing-resistant features
Goodincludes clear stipulations about compatibility and post-purchase support
Cross-framework mappings
How ISM-1682 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.5 | ISM-1682 requires a specific secure authentication outcome: MFA used for system authentication is phishing-resistant | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| sync_alt Partially overlaps (3) expand_less | ||
| handshake Supports (2) expand_less | ||
| link Related (1) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.