Implement Multi-factor Authentication for Customer Services
Use multi-factor authentication to protect access to sensitive customer data online.
Plain language
Using multi-factor authentication is like having a double lock on your online services. It ensures that customers' sensitive information is safe because it requires an extra step beyond just a password. Without this, a hacker who steals a password could easily access your customer data, leading to potential misuse or theft of information.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1, ML2, ML3
Guideline
Guidelines for system hardeningSection
Authentication hardeningOfficial control statement
Multi-factor authentication is used to authenticate users to their organisation's online customer services that process, store or communicate their organisation's sensitive customer data.
Why it matters
Without MFA for customer services, compromised passwords can allow account takeover and exfiltration of sensitive customer data, harming trust.
Operational notes
Enforce MFA for all customer-service logins; manage enrolment, secure recovery, and monitor MFA bypass/failed challenges for fraud.
Implementation tips
- Business Owners should mandate multi-factor authentication for all online customer service access where sensitive data is involved. Begin by consulting with your IT provider to understand how this can be integrated into your current systems, considering both security and user convenience.
- IT Teams should implement the technical configuration of multi-factor authentication. They can start by investigating solutions that best suit the organisation's size and risk profile, such as SMS codes or authenticator apps, and ensure these are compatible with existing systems.
- Office Managers should communicate the importance of multi-factor authentication to staff and customers. Craft a simple, clear message explaining why this is necessary and provide straightforward instructions for setting it up, ensuring everyone knows what to do and why it matters.
- IT Teams should plan and conduct training sessions for staff on the use of multi-factor systems. These sessions should include step-by-step guidance on setting up the authentication factor, such as using a smartphone app, and addressing any questions or technical issues.
- Compliance Managers should create and maintain documentation on the multi-factor authentication process. Document the approach, tools used, and any issues encountered, and ensure this record is reviewed and updated regularly to reflect any changes or improvements.
Audit / evidence tips
-
Askthe multi-factor authentication policy: Request a copy of the organisational policy that outlines the use of multi-factor authentication for customer services
Goods will include specific procedures and technologies being used
-
Askrecords of multi-factor authentication setup: Request logs or database records showing which accounts have multi-factor authentication enabled
Goods should show comprehensive coverage of all relevant accounts
-
Asktraining materials: Request the content used to educate staff on multi-factor authentication
-
Askhelpdesk logs related to multi-factor authentication: Request to see recent support tickets or emails about issues with multi-factor authentication
-
Askmaintenance and review schedule: Request the schedule that details when and how the multi-factor authentication system is reviewed for security effectiveness
Goodschedule will be dated, with planned future reviews outlined
Cross-framework mappings
How ISM-1892 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-MF-ML1.5 | E8-MF-ML1.5 requires MFA for authentication to third-party online customer services that handle sensitive customer data | |
| handshake Supports (1) expand_less | ||
| E8-MF-ML2.6 | ISM-1892 requires MFA to protect access to online customer services handling sensitive customer data | |
| link Related (3) expand_less | ||
| E8-MF-ML1.1 | E8-MF-ML1.1 requires MFA for the organisation’s online services that process, store or communicate sensitive data | |
| E8-MF-ML1.4 | ISM-1892 requires multi-factor authentication (MFA) to be used to authenticate users to an organisation’s online customer services that p... | |
| E8-MF-ML1.6 | E8-MF-ML1.6 requires multi-factor authentication (MFA) for customers accessing online customer services that process, store, or communica... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.