ISM-1682 policy ASD Information Security Manual (ISM)

Enhance User Security with Phishing-resistant MFA

Multi-factor authentication protects systems by not relying solely on passwords, reducing phishing risks.

Preventative ML2 ML3 NC OS P ASD Information Security ManualGuidelines for system hardening mfa authentication

record_voice_over

Plain language

Phishing-resistant multi-factor authentication is about adding extra layers of security to prevent unauthorised access to systems, especially from deceptive attacks like phishing, where someone tricks you into giving away your login details. This is crucial because if systems are only protected by passwords, which can be easily stolen, there's a higher risk of data breaches and loss of important information.

01 - Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

Nov 2023

Control Stack last updated

19 Mar 2026

E8 maturity levels

ML2, ML3

Guideline

Guidelines for system hardening

Section

Authentication hardening

Topic

Multi-factor Authentication

Official control statement

Multi-factor authentication used for authenticating users of systems is phishing-resistant.

policy ASD Information Security Manual (ISM) ISM-1682

priority_high

Why it matters

Without phishing-resistant MFA, attackers can exploit MFA fatigue, intercept OTPs, or use real-time phishing to access sensitive systems.

settings

Operational notes

Use FIDO2/WebAuthn (passkeys or security keys) for sign-in. Disable SMS/OTP fallbacks and require phishing-resistant methods for all users.

02 - Implement

build

Implementation tips

System owners should choose a multi-factor authentication system that uses methods difficult for attackers to mimic, like physical tokens or biometric checks. This can be done by researching options that integrate easily with existing systems and provide a combination of security measures that are widely recognised as robust.
IT teams should update existing systems to support phishing-resistant authentication by integrating chosen multi-factor solutions across all access points. This involves updating software settings and ensuring that all employees are aware and trained on the new access procedure.
The HR or training department should organise staff training sessions to educate employees about the importance of multi-factor authentication and how it works. Use clear examples of phishing attempts and emphasise the behaviour changes needed to follow the new login processes.
Managers should implement regular checks and drills to ensure multi-factor authentication is used correctly and consistently by everyone in the organisation. Set up a schedule for periodic reviews to keep everyone engaged and informed about any updates or challenges.
Procurement teams should ensure any new software or systems purchased are compatible with the organisation’s multi-factor authentication setup. This includes checking with vendors for compatibility and negotiating for additional support or training if needed.

03 - Audit

fact_check

Audit / evidence tips

AskThe policy document that outlines multi-factor authentication requirements GoodIncludes detailed sections on authentication methods and steps to handle potential security breaches
GoodIs a comprehensive training plan that is regularly updated
AskRecords of system updates to support multi-factor authentication GoodShows a timeline of updates and specific actions taken to enhance security measures
GoodIs a structured record indicating regular assessments and improvements
AskVendor contracts that specify multi-factor authentication compatibility for any purchased systems or software. Examine terms that highlight the vendor’s obligations to support phishing-resistant features GoodIncludes clear stipulations about compatibility and post-purchase support

04 - Mappings

link

Cross-framework mappings

How ISM-1682 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control	Notes	Details
layers Partially meets (1) expand_less
Annex A 8.5	ISM-1682 requires a specific secure authentication outcome: MFA used for system authentication is phishing-resistant

E8

Control	Notes	Details
layers Partially meets (2) expand_less

E8-MF-ML1.1	E8-MF-ML1.1 requires MFA for access to online services that handle the organisation’s sensitive data
E8-MF-ML3.3	E8-MF-ML3.3 requires phishing-resistant MFA specifically for user access to data repositories
sync_alt Partially overlaps (3) expand_less

E8-MF-ML2.2	E8-MF-ML2.2 requires organisations to use MFA to authenticate unprivileged users of systems
E8-MF-ML2.3	ISM-1682 requires phishing-resistant MFA for authenticating users of systems
E8-MF-ML3.2	ISM-1682 requires phishing-resistant MFA for authenticating users of systems
handshake Supports (2) expand_less

E8-MF-ML1.4	E8-MF-ML1.4 requires MFA for access to online customer services handling sensitive customer data
E8-MF-ML1.5	E8-MF-ML1.5 requires MFA for third-party online customer services processing sensitive data
link Related (1) expand_less

E8-MF-ML2.5	ISM-1682 requires that multi-factor authentication (MFA) used to authenticate users of systems is phishing-resistant

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.