Phishing-Resistant Multi-Factor Authentication for Customers
Online services use multi-step security to prevent phishing attacks during customer login.
Plain language
This control is about using multi-step security checks that are hard for scammers to trick when you log in online. It matters because if you don't have these strong checks, someone pretending to be you could get into your accounts and steal your information or money.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Guideline
Guidelines for system hardeningSection
Authentication hardeningOfficial control statement
Multi-factor authentication used for authenticating customers of online customer services is phishing-resistant.
Why it matters
Without phishing-resistant MFA, attackers can impersonate customers, leading to significant data breaches and financial losses.
Operational notes
Use phishing-resistant MFA for customers (e.g., FIDO2/WebAuthn passkeys) and monitor for OTP/push fatigue; keep enrolment and recovery guidance current.
Implementation tips
- IT team should implement phishing-resistant multi-factor authentication (MFA) for customer logins. They can do this by choosing and setting up an authentication method like a hardware security key or a mobile app that generates unique codes. This adds an extra layer of security that is not easily fooled by phishing attempts.
- System administrators need to ensure that all online services used by customers are configured to require the chosen MFA method. This can be done by adjusting the authentication settings to make MFA a mandatory step during each login process.
- Customer support managers should inform customers about the new MFA process and why it's important. They can do this by sending out emails, updating websites, and providing simple guides on how to use the new method effectively.
- IT security trainers should provide training sessions for staff on how phishing-resistant MFA works and why it’s beneficial. These sessions should include examples of phishing attacks and hands-on practice with the new authentication process.
- Risk management officers need to conduct a risk assessment to ensure that the selected MFA method effectively reduces the threat of phishing. This involves evaluating different MFA options and selecting one that best suits the organisation’s customer base and threat landscape.
Audit / evidence tips
-
Askthe documentation on the MFA system implemented for customer accounts
Goodis documentation that clearly explains the phishing-resistant features and their implementation timeline
-
Askrecords of customer communications regarding the introduction of phishing-resistant MFA
Goodincludes copies of emails, newsletters, or a website notice explaining MFA benefits and usage
-
Goodincludes slides, videos, or training manuals with clear explanations and example scenarios
-
Asklogs showing the enforcement of MFA in customer accounts. Look to see logs include details when MFA was required and if any login attempts were rejected due to phishing attempts
Goodis logs that demonstrate consistent requirement of MFA and clear record of failed phishing attempts
-
Goodis a detailed report outlining the risks identified and the reasons behind the choice of MFA
Cross-framework mappings
How ISM-1874 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.5 | ISM-1874 requires a specific secure authentication outcome: phishing-resistant MFA for customers of online customer services | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| E8-MF-ML1.6 | E8-MF-ML1.6 requires MFA for customers authenticating to online services handling sensitive customer data | |
| E8-MF-ML2.3 | E8-MF-ML2.3 requires phishing-resistant MFA for users authenticating to online services | |
| link Related (1) expand_less | ||
| E8-MF-ML3.2 | ISM-1874 requires that multi-factor authentication used to authenticate customers of online customer services is phishing-resistant | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.