Enforcing Multi-Factor Authentication for User Security
Users must use multi-factor authentication to access third-party services handling sensitive data.
Plain language
This control means you need to add an extra layer of security when accessing online services that handle important customer data. This matters because if someone tries to hack into these systems, multi-factor authentication makes it much harder for them to succeed, protecting your sensitive information from theft or misuse.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1, ML2, ML3
Guideline
Guidelines for system hardeningSection
Authentication hardeningOfficial control statement
Multi-factor authentication is used to authenticate users to third-party online customer services that process, store or communicate their organisation's sensitive customer data.
Why it matters
Without MFA on third-party customer services, attackers can take over accounts and access or exfiltrate sensitive customer data, causing a breach.
Operational notes
Enforce MFA on all third-party customer services handling sensitive customer data; review MFA settings and logs after changes and user onboarding.
Implementation tips
- Business owners should ensure that all employees understand the importance of using multi-factor authentication. Hold a brief training session explaining how it works, like entering a code from their phone in addition to their password when logging in.
- IT staff should set up multi-factor authentication on all accounts that access external services with customer data. They can do this by enabling settings in account management systems, often with simple step-by-step guides provided by the service.
- Managers should regularly check that multi-factor authentication is actively being used by all team members. Conduct periodic checks at meetings and remind staff why it's important to keep it enabled.
- The authorising officer of each department should ensure new software or services require multi-factor authentication before being approved for use. They can do this by making it part of the software approval checklist process.
- HR teams should include multi-factor authentication instructions in the onboarding process for new hires. Provide new employees with clear, written instructions on setting it up as part of their initial training.
Audit / evidence tips
- AskThe list of third-party services in use: Request a document showing all the services used that require handling customer data with multi-factor authentication enabled GoodWill be a list of services where each entry confirms multi-factor authentication is active
- GoodIs a record of training sessions with dates and a summary of the content covered, showing ongoing training
- AskIT configuration checklists: Request documentation showing the setup of multi-factor authentication for services GoodIncludes clear evidence showing that these settings are checked regularly and are current
- GoodIs a dated report showing the date, services checked, and any follow-up actions taken
- AskUser feedback reports GoodIs a summary showing that most users have set it up successfully with few reporting difficulties
Cross-framework mappings
How ISM-1893 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.5 | ISM-1893 requires MFA for a specific authentication scenario: users accessing third-party online customer services handling the organisat... | |
| handshake Supports (2) expand_less | ||
| Annex A 5.17 | ISM-1893 requires MFA to be used for user authentication to third-party online customer services handling sensitive customer data | |
| Annex A 5.22 | ISM-1893 requires MFA for users authenticating to third-party online customer services that handle sensitive customer data | |
| extension Depends on (1) expand_less | ||
| Annex A 5.12 | ISM-1893 requires MFA to be used for access to third-party online customer services that process, store or communicate the organisation’s... | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| sync_alt Partially overlaps (5) expand_less | ||
| handshake Supports (3) expand_less | ||
| link Related (1) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.