Disable Non-MFA Authentication Protocols
Ensures systems only use multi-factor authentication by disabling less secure protocols.
Plain language
Multi-factor authentication (MFA) requires you to use two or more methods to prove who you are before you can access online services, like email or bank accounts. This control is about turning off old ways of logging in that don't use MFA, which helps to keep your accounts safer. Without it, hackers have an easier time breaking into your accounts using stolen passwords or tricking you with phishing attempts.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Authentication hardeningOfficial control statement
When multi-factor authentication is used to authenticate users or customers to online services or online customer services, all other authentication protocols that do not support multi-factor authentication are disabled.
Why it matters
If non-MFA protocols remain enabled, attackers can bypass MFA (e.g., legacy/basic auth) to take over accounts and access data.
Operational notes
Audit identity providers and apps to disable legacy/non-MFA protocols (e.g., basic/IMAP/POP/SMTP auth) and alert on any attempted use.
Implementation tips
- System owners should review their current authentication protocols to identify which ones do not support multi-factor authentication. They can do this by listing all services and applications used within the organisation and checking their login settings.
- The IT team should disable all non-MFA protocols across all systems. They can achieve this by going into each system's security settings and ensuring that only MFA-supported logins are enabled.
- Managers should communicate the importance of using MFA to all staff members to ensure they understand why the change is being made. This can be done via a company-wide email or meeting, explaining the benefits of extra security.
- Procurement officers should verify that any new software or online service purchased by the organisation supports MFA. Before purchase, they should request a demonstration from vendors showing how MFA is implemented.
- IT support should assist team members in setting up MFA on their accounts, guiding them through the process of linking their mobile phones or security tokens with their login credentials, to make sure they are all set up properly.
Audit / evidence tips
-
Aska list of current authentication protocols in use
Goodwould be a document showing only MFA-enabled protocols listed
-
Goodincludes an audit log from IT systems showing these changes
-
Askcommunication records that inform staff about MFA implementation. Review these communications to ensure they explain why non-MFA protocols were disabled
Goodis an email or meeting notes that clearly state this information
-
Goodis a checklist item in procurement forms verifying MFA capability before purchase
-
Askthe IT support records showing assistance provided to staff for MFA setup. Review these records to ensure that staff were successfully guided through the MFA setup process
Goodincludes detailed logs of assistance or training sessions provided
Cross-framework mappings
How ISM-1919 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.5 | ISM-1919 requires a specific secure-authentication configuration outcome: disabling all authentication protocols that do not support MFA ... | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (8) expand_less | ||
| extension Depends on (1) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.