Central Logging of Multi-factor Authentication Events
Multi-factor authentication attempts, whether they succeed or not, are logged together in a central system.
Plain language
This control is about making sure that all attempts to log in with extra security steps, whether successful or not, are recorded in one place. It's important because if there is suspicious activity, these records help us understand what happened so we can respond quickly and protect against security breaches.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2, ML3
Guideline
Guidelines for system hardeningSection
Authentication hardeningOfficial control statement
Successful and unsuccessful multi-factor authentication events are centrally logged.
Why it matters
Without central MFA event logging, failed and successful authentication attempts may be missed, delaying detection of account compromise.
Operational notes
Centrally log all successful and failed MFA events from all systems; review and protect logs weekly to detect abnormal patterns.
Implementation tips
- The IT team should set up a central logging system specifically for tracking multi-factor authentication (MFA) events. They can do this by configuring the system settings to automatically send records of each login attempt to a central server or service.
- Managers should ensure that the logging system integrates well with existing cybersecurity tools. This may involve coordinating with the IT team to test the logging processes and ensure that alerts are triggered when unusual patterns or failed login attempts occur.
- System owners need to work with the IT staff to determine what data should be logged for each MFA attempt. This typically includes the time, user ID, and location of the attempt, helping identify any unusual access patterns.
- Business owners are responsible for making sure that the logs are regularly reviewed. They should set up a timetable for someone in the IT team to check the logs weekly, making sure any suspicious activity is investigated promptly.
- HR should collaborate with IT to provide training to employees on the importance of MFA and logging practices. They can organise workshops or send informational emails to ensure everyone understands how MFA logging protects the organisation.
Audit / evidence tips
-
Askthe current logging configuration document: Request a report or screenshot showing the systems configured to collect multi-factor authentication logs
Goodwill provide evidence of comprehensive logging across all systems and user accounts
-
Askto see the alert procedures for failed MFA attempts: Request documentation that describes how alerts are handled when logging shows suspicious activity
Goodshows clear steps for responding to alerts with timelines
-
Aska sample set of logs from the last month: Request a selection of event logs from the central system showing successful and unsuccessful MFA attempts. Look to see that the logs are detailed and well-organised
Goodwill include clear timestamps, user details, and outcomes
-
Askto review user access records: Request access records to cross-check how logged events match actual access approvals
Goodconfirms that logs correspond correctly to access permissions
-
Askreports on any recent suspicious MFA activity: Request records of how any suspicious events were handled
Gooddemonstrates that all incidents were appropriately logged, investigated, and resolved
Cross-framework mappings
How ISM-1683 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.15 | ISM-1683 requires successful and unsuccessful MFA events to be centrally logged | |
| handshake Supports (2) expand_less | ||
| Annex A 5.7 | ISM-1683 requires successful and unsuccessful MFA events to be centrally logged | |
| Annex A 5.28 | ISM-1683 requires successful and unsuccessful MFA events to be centrally logged | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| E8-AH-ML2.15 | ISM-1683 requires successful and unsuccessful MFA events to be centrally logged | |
| link Related (1) expand_less | ||
| E8-MF-ML2.6 | ISM-1683 requires that both successful and unsuccessful multi-factor authentication (MFA) events are centrally logged | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.