Ensuring Phishing-Resistant Multi-factor Authentication
Ensure multi-factor authentication resists phishing attempts for secure data access.
Plain language
Phishing-resistant multi-factor authentication is like having a double lock on your door that can't be tricked open with a fake key. This matters because cyber criminals might try to steal your login credentials to access sensitive information, but with this kind of security, simply having your password isn't enough for them to break in.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 May 2026
E8 maturity levels
ML3
Guideline
Guidelines for system hardeningSection
Authentication hardeningOfficial control statement
Multi-factor authentication used for authenticating users of data repositories is phishing-resistant.
Why it matters
Without phishing-resistant MFA (e.g., FIDO2/WebAuthn), attackers can relay credentials via phishing, leading to repository compromise and data breach.
Operational notes
Regularly confirm only phishing-resistant MFA (FIDO2/WebAuthn) is permitted for repository access, and monitor logs/alerts for any unauthorised MFA policy changes.
Implementation tips
- The IT team should implement phishing-resistant multi-factor authentication by using security systems that do not rely on just passwords and SMS codes. They can do this by setting up systems that use biometrics like fingerprints or apps that generate unique codes only on your device.
- Business owners should ensure their staff are trained on recognising phishing attempts by organising regular training sessions. In these sessions, use real-life examples to show how phishing attacks work and what to look out for.
- Managers should enforce policy that requires all staff to use phishing-resistant authentication methods for accessing any company data. They can do this by directing IT to disable any older, less secure methods like SMS-based codes.
- HR should include phishing-resistant authentication training as part of the onboarding process for new employees. They can include this training in the induction program, ensuring everyone knows how to protect their login credentials from the start.
- The procurement team should prioritise buying software and services that support phishing-resistant multi-factor authentication. When evaluating vendors, ask them to demonstrate how their solutions handle login security and what technology they use for phishing resistance.
Audit / evidence tips
- AskThe log of authentication methods currently in use across the company systems GoodWould show predominantly phishing-resistant methods like biometric or app-based codes
- AskTraining records that show staff have been educated about phishing-resistant authentication GoodIncludes signed attendance from staff and material covering the risks of phishing
- GoodIncludes a company-wide memo or email defining and mandating such methods
- AskA report on incidents where phishing attempts were detected and thwarted GoodShows incidents handled without unauthorised access due to these measures
- AskPurchase records or vendor agreements that specify the use of phishing-resistant authentication technologies GoodShows vendors committed to providing and supporting phishing-resistant solutions
Cross-framework mappings
How ISM-1894 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.5 | ISM-1894 requires a specific outcome: MFA used for authenticating users of data repositories must be phishing-resistant | |
| handshake Supports (1) expand_less | ||
| Annex A 5.17 | ISM-1894 requires phishing-resistant MFA for authenticating users of data repositories | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| E8-MF-ML2.3 | E8-MF-ML2.3 requires phishing-resistant MFA for authenticating users of online services | |
| E8-MF-ML2.5 | E8-MF-ML2.5 requires that MFA used for system access is phishing-resistant | |
| handshake Supports (1) expand_less | ||
| E8-MF-ML2.6 | ISM-1894 requires phishing-resistant MFA for authenticating users of data repositories | |
| link Related (2) expand_less | ||
| E8-MF-ML3.1 | ISM-1894 requires that MFA for data repository access is specifically phishing-resistant, setting a stronger quality requirement for the ... | |
| E8-MF-ML3.3 | E8-MF-ML3.3 requires that multi-factor authentication (MFA) used to access data repositories is specifically phishing-resistant | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.