Skip to content
Control Stack logo Control Stack
ISM-1874 ASD Information Security Manual (ISM)

Phishing-Resistant Multi-Factor Authentication for Customers

Online services use multi-step security to prevent phishing attacks during customer login.

Preventative ML3 Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security ManualGovernanceAuthenticationMulti factor authentication

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Nov 2023

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

ML3

Guideline

Guidelines for system hardening

Section

Authentication hardening

Topic

Multi-factor Authentication
Official control statement
Multi-factor authentication used for authenticating customers of online customer services is phishing-resistant.

Source: ASD Information Security Manual (ISM)

Plain language

This control is about using multi-step security checks that are hard for scammers to trick when you log in online. It matters because if you don't have these strong checks, someone pretending to be you could get into your accounts and steal your information or money.

Why it matters

Without phishing-resistant MFA, attackers can impersonate customers, leading to significant data breaches and financial losses.

Operational notes

Use phishing-resistant MFA for customers (e.g., FIDO2/WebAuthn passkeys) and monitor for OTP/push fatigue; keep enrolment and recovery guidance current.

Implementation tips

  • IT team should implement phishing-resistant multi-factor authentication (MFA) for customer logins. They can do this by choosing and setting up an authentication method like a hardware security key or a mobile app that generates unique codes. This adds an extra layer of security that is not easily fooled by phishing attempts.
  • System administrators need to ensure that all online services used by customers are configured to require the chosen MFA method. This can be done by adjusting the authentication settings to make MFA a mandatory step during each login process.
  • Customer support managers should inform customers about the new MFA process and why it's important. They can do this by sending out emails, updating websites, and providing simple guides on how to use the new method effectively.
  • IT security trainers should provide training sessions for staff on how phishing-resistant MFA works and why it’s beneficial. These sessions should include examples of phishing attacks and hands-on practice with the new authentication process.
  • Risk management officers need to conduct a risk assessment to ensure that the selected MFA method effectively reduces the threat of phishing. This involves evaluating different MFA options and selecting one that best suits the organisation’s customer base and threat landscape.

Audit / evidence tips

  • Ask: the documentation on the MFA system implemented for customer accounts

    Good: is documentation that clearly explains the phishing-resistant features and their implementation timeline

  • Ask: records of customer communications regarding the introduction of phishing-resistant MFA

    Good: includes copies of emails, newsletters, or a website notice explaining MFA benefits and usage

  • Good: includes slides, videos, or training manuals with clear explanations and example scenarios

  • Ask: logs showing the enforcement of MFA in customer accounts. Look to see logs include details when MFA was required and if any login attempts were rejected due to phishing attempts

    Good: is logs that demonstrate consistent requirement of MFA and clear record of failed phishing attempts

  • Good: is a detailed report outlining the risks identified and the reasons behind the choice of MFA

Cross-framework mappings

How ISM-1874 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control Notes Details
Partially meets (1)
Annex A 8.5 ISM-1874 requires a specific secure authentication outcome: phishing-resistant MFA for customers of online customer services

E8

Control Notes Details
Partially overlaps (1)
E8-MF-ML2.3 E8-MF-ML2.3 requires phishing-resistant MFA for authenticating users of online services
Supports (1)
E8-MF-ML1.6 E8-MF-ML1.6 requires MFA to authenticate customers to online customer services that process, store or communicate sensitive customer data
Related (1)
E8-MF-ML3.2 ISM-1874 requires that multi-factor authentication used to authenticate customers of online customer services is phishing-resistant

Mapping detail

Mapping

Direction

Controls