Ensuring Phishing-Resistant Multi-Factor Authentication
Users must use multi-factor authentication that resists phishing when accessing online services.
Plain language
This control is about using safe extra steps, like a special phone app or a security key, to access online services without falling for fake login tricks. If you don't have these protections, someone could pretend to be you and access your sensitive information.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2, ML3
Guideline
Guidelines for system hardeningSection
Authentication hardeningOfficial control statement
Multi-factor authentication used for authenticating users of online services is phishing-resistant.
Why it matters
Without phishing-resistant MFA, attackers can use fake sign-in pages to steal factors and gain unauthorised access, causing data breaches.
Operational notes
Prefer FIDO2/WebAuthn passkeys or security keys; disable OTP/SMS for logins, and regularly validate MFA flows against phishing simulations.
Implementation tips
- The IT team should choose a phishing-resistant multi-factor authentication method like a hardware security key or an authenticator app that provides unique codes. They need to check that the chosen method is compatible with the online services your organisation uses and performs some test logins to confirm it works correctly.
- Managers should inform staff about the importance of using these phishing-resistant methods when logging in. They can hold a briefing session to explain how these tools work and why they're safer than just using a password.
- HR should ensure that new starters are introduced to these secure login methods as part of their onboarding process. Include a section in the onboarding pack that details how to set up and use these methods safely at work.
- System owners should meet with the IT team to identify and list all online services that require multi-factor authentication. Document the chosen method of authentication for each system and ensure staff are informed which tool to use.
- The procurement team should ensure that new software and systems purchased are compatible with phishing-resistant multi-factor authentication methods. This can be done by integrating requirements for these methods in purchase agreements and vendor discussions.
Audit / evidence tips
-
Aska list of services used by the organisation that require multi-factor authentication
GoodAll services listed should specify the type of multi-factor authentication that prevents phishing
-
Goodincludes training records showing high participation rates and materials explaining the specific security measures
-
Askthe policy document that mandates multi-factor authentication for online services
Goodwould include a clear policy directive naming acceptable multi-factor methods such as hardware keys
-
Goodcontains guides with step-by-step instructions for enrolling in phishing-resistant tools
-
Askany incident or helpdesk reports related to login issues
Goodreports showing timely issue resolutions and any follow-up training or adjustments made
Cross-framework mappings
How ISM-1872 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| link Related (1) expand_less | ||
| Annex A 8.5 | Annex A 8.5 requires organisations to implement secure authentication technologies and procedures consistent with access restrictions and... | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (3) expand_less | ||
| E8-MF-ML1.1 | E8-MF-ML1.1 requires MFA for users accessing the organisation’s online services that handle sensitive organisational data | |
| E8-MF-ML1.7 | ISM-1872 requires the use of phishing-resistant multi-factor authentication for online services | |
| E8-MF-ML3.1 | E8-MF-ML3.1 requires MFA for users of data repositories | |
| link Related (2) expand_less | ||
| E8-MF-ML2.3 | E8-MF-ML2.3 requires that MFA used for authenticating users of online services is phishing-resistant | |
| E8-MF-ML3.2 | ISM-1872 requires that multi-factor authentication (MFA) used to authenticate users of online services is phishing-resistant | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.