ISM-1919 policy ASD Information Security Manual (ISM)

Disable Non-MFA Authentication Protocols

Ensures systems only use multi-factor authentication by disabling less secure protocols.

Preventative NC OS P ASD Information Security ManualGuidelines for system hardening mfa access control

record_voice_over

Plain language

Multi-factor authentication (MFA) requires you to use two or more methods to prove who you are before you can access online services, like email or bank accounts. This control is about turning off old ways of logging in that don't use MFA, which helps to keep your accounts safer. Without it, hackers have an easier time breaking into your accounts using stolen passwords or tricking you with phishing attempts.

01 — Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

May 2024

Control Stack last updated

19 Mar 2026

E8 maturity levels

N/A

Guideline

Guidelines for system hardening

Section

Authentication hardening

Topic

Multi-factor Authentication

Official control statement

When multi-factor authentication is used to authenticate users or customers to online services or online customer services, all other authentication protocols that do not support multi-factor authentication are disabled.

policy ASD Information Security Manual (ISM) ISM-1919

priority_high

Why it matters

If non-MFA protocols remain enabled, attackers can bypass MFA (e.g., legacy/basic auth) to take over accounts and access data.

settings

Operational notes

Audit identity providers and apps to disable legacy/non-MFA protocols (e.g., basic/IMAP/POP/SMTP auth) and alert on any attempted use.

02 — Implement

build

Implementation tips

System owners should review their current authentication protocols to identify which ones do not support multi-factor authentication. They can do this by listing all services and applications used within the organisation and checking their login settings.
The IT team should disable all non-MFA protocols across all systems. They can achieve this by going into each system's security settings and ensuring that only MFA-supported logins are enabled.
Managers should communicate the importance of using MFA to all staff members to ensure they understand why the change is being made. This can be done via a company-wide email or meeting, explaining the benefits of extra security.
Procurement officers should verify that any new software or online service purchased by the organisation supports MFA. Before purchase, they should request a demonstration from vendors showing how MFA is implemented.
IT support should assist team members in setting up MFA on their accounts, guiding them through the process of linking their mobile phones or security tokens with their login credentials, to make sure they are all set up properly.

03 — Audit

fact_check

Audit / evidence tips

Aska list of current authentication protocols in use

Goodwould be a document showing only MFA-enabled protocols listed
Goodincludes an audit log from IT systems showing these changes
Askcommunication records that inform staff about MFA implementation. Review these communications to ensure they explain why non-MFA protocols were disabled

Goodis an email or meeting notes that clearly state this information
Goodis a checklist item in procurement forms verifying MFA capability before purchase
Askthe IT support records showing assistance provided to staff for MFA setup. Review these records to ensure that staff were successfully guided through the MFA setup process

Goodincludes detailed logs of assistance or training sessions provided

04 — Mappings

link

Cross-framework mappings

How ISM-1919 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

ISO 27001

Control	Notes	Details
layers Partially meets (1) expand_less
Annex A 8.5	ISM-1919 requires a specific secure-authentication configuration outcome: disabling all authentication protocols that do not support MFA ...

E8

Control	Notes	Details
handshake Supports (8) expand_less

E8-MF-ML1.1	ISM-1919 requires that once MFA is implemented for online services, all authentication protocols that cannot use MFA are disabled to prev...
E8-MF-ML1.2	E8-MF-ML1.2 requires MFA for authentication to third-party services handling sensitive data
E8-MF-ML1.3	E8-MF-ML1.3 requires multi-factor authentication (where available) for user access to third-party online services handling an organisatio...
E8-MF-ML1.6	E8-MF-ML1.6 requires MFA for customer authentication to online customer services handling sensitive customer data
E8-MF-ML1.7	E8-MF-ML1.7 requires MFA to use two factors to strengthen authentication
E8-MF-ML2.1	ISM-1919 requires disabling authentication protocols that do not support MFA whenever MFA is used, reducing the risk privileged users can...
E8-MF-ML2.3	E8-MF-ML2.3 requires phishing-resistant MFA for online services to prevent phishing-based bypass of authentication
E8-MF-ML3.1	E8-MF-ML3.1 requires MFA for authenticating users of data repositories
extension Depends on (1) expand_less

E8-MF-ML1.5	E8-MF-ML1.5 requires MFA for authentication to third-party online customer services

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.