Enhance Security with Phishing-Resistant MFA
Online services should use multi-factor authentication that cannot be easily tricked by phishing.
Plain language
Phishing-resistant multi-factor authentication is a way to double-check that you are who you say you are when accessing online services. This is important because regular passwords can be easily stolen or guessed, leading to fraud or data breaches, while phishing-resistant methods are much harder for attackers to bypass.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2
Guideline
Guidelines for system hardeningSection
Authentication hardeningOfficial control statement
Multi-factor authentication used for authenticating customers of online customer services provides a phishing-resistant option.
Why it matters
Without phishing-resistant MFA for customer logins, phished credentials and OTPs can be replayed, enabling account takeover and data breaches.
Operational notes
Offer phishing-resistant MFA (FIDO2/WebAuthn/passkeys) for customer logins; disable SMS/OTP-only flows where possible and monitor for MFA fatigue/replay.
Implementation tips
- IT team should implement phishing-resistant multi-factor authentication by setting up systems that use physical security keys or phone apps that cannot be easily tricked. These tools add an extra layer of security that goes beyond just a password, making it much harder for hackers to access accounts without authorisation.
- Managers should educate staff about the importance of multi-factor authentication by organising simple training sessions. Explain how using these secure methods protects our data and the organisation's reputation, and provide step-by-step instructions for setting it up on commonly used services.
-
Look atservices that offer security keys or app-based methods, which are known for being robust against phishing
- The HR department should incorporate the use of phishing-resistant multi-factor authentication in the onboarding process. Clearly explain and document the steps new employees need to follow to set up these security measures, ensuring everyone is protected from day one.
- Security officers should regularly review the effectiveness of phishing-resistant multi-factor authentication by analysing incident reports to check if any security breaches are related to failures in this area. Use the findings to adapt and strengthen security measures as needed.
Audit / evidence tips
-
Askthe multi-factor authentication policy document: Request the document that outlines how phishing-resistant methods are implemented. Look to see if it includes specific measures like security keys or app-based authentication
Goodis a detailed policy that is updated regularly and includes examples of the technology used
-
Aska list of services using phishing-resistant multi-factor authentication: Check if all critical services, like email and financial software, are covered. Good evidence would show all services are using secure authentication with no exceptions
-
Goodrecord includes recent training sessions that reach all employees, with clear feedback mechanisms
-
Askto see recent security incidents reports involving authentication
Goodoutcome shows minimal incidents and effective response plans
-
Goodprocess is straightforward, consistently applied, and includes clear instructions tailored to both tech-savvy and non-tech staff
Cross-framework mappings
How ISM-1873 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| E8-MF-ML1.6 | E8-MF-ML1.6 requires MFA for customers accessing online customer services that handle sensitive customer data | |
| link Related (1) expand_less | ||
| E8-MF-ML3.2 | ISM-1873 requires that multi-factor authentication (MFA) for authenticating customers of online customer services provides a phishing-res... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.