Restrict MFA Options to Phishing-resistant Only
Ensure accounts using strong, phishing-proof MFA can't use less secure authentication methods.
Plain language
This control is about making sure your online accounts are really hard to hack even if someone tricks you into giving away information via phishing scams. It matters because phishing-proof multi-factor authentication (MFA) helps keep your personal and business information safe by making it much harder for criminals to access your accounts, even if they get hold of your passwords.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Authentication hardeningOfficial control statement
When phishing-resistant multi-factor authentication is used by user accounts, other non-phishing-resistant multi-factor authentication options are disabled for such user accounts.
Why it matters
Failure to enforce phishing-resistant MFA can lead to account takeovers, exposing sensitive data and causing significant financial and reputational damage.
Operational notes
Review user MFA enrolment and ensure only phishing-resistant methods remain enabled; disable SMS/OTP options and alert on any changes.
Implementation tips
- The IT manager should conduct a review of all currently used MFA options to ensure any that are not phishing-resistant are disabled for accounts using stronger, phishing-proof MFA. This can be done by listing all available MFA methods and disabling weaker ones like basic SMS codes on the server or application settings.
- Business owners should arrange a meeting with their IT service provider to discuss and implement phishing-resistant MFA methods like hardware tokens or app-based authenticators. Set a timeline and track progress to ensure only secure methods are available to staff.
- The IT team should educate all employees about the importance of using phishing-resistant MFA. This can be done through workshops or digital training materials, clearly explaining how to use these methods and why they offer better protection.
- Office managers should update their staff onboarding checklist to include setting up phishing-resistant MFA options immediately when new employees join. This ensures everyone starts with the right security habits from day one.
- Procurement officers should ensure any third-party software or service the company buys supports phishing-resistant MFA out of the box. They can check this by asking vendors specific questions about their MFA offerings before purchasing.
Audit / evidence tips
- AskA list of all enabled MFA methods: Request documentation showing which MFA methods are currently enabled for employee accounts GoodIs a document listing all MFA methods with comments indicating non-phishing-resistant ones are disabled
- AskTo see the MFA policy: Request a copy of the organisation's authentication policy GoodIncludes a clearly stated requirement for only using strong, phishing-proof MFA options
- AskTraining records: Request evidence that employees have been trained on phishing-resistant MFA GoodIncludes recent training session records that discuss phishing-resistant MFA
- AskA demonstration of MFA setup: Request a walkthrough of setting up a phishing-resistant MFA method for a new user account GoodIs a smooth demonstration that shows disabling of weaker methods and successful activation of stronger ones
- AskTo review vendor assessment reports: Request the evaluation documents for third-party services regarding MFA capabilities GoodIncludes detailed assessments showing vendors support and implement phishing-resistant MFA options
Cross-framework mappings
How ISM-2011 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.5 | ISM-2011 requires that when phishing-resistant MFA is used by user accounts, other non-phishing-resistant MFA options are disabled for th... | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (5) expand_less | ||
| E8-MF-ML1.7 | E8-MF-ML1.7 defines MFA as using two factors (something you have plus something you know, or possession unlocked by knowledge/biometrics) | |
| E8-MF-ML2.3 | ISM-2011 requires that where a user account uses phishing-resistant MFA, any weaker, non-phishing-resistant MFA options are disabled for ... | |
| E8-MF-ML2.5 | ISM-2011 requires that when phishing-resistant MFA is used by user accounts, any non-phishing-resistant MFA options are disabled for thos... | |
| E8-MF-ML3.2 | ISM-2011 requires that when phishing-resistant MFA is enabled for a user account, other non-phishing-resistant MFA options are disabled f... | |
| E8-MF-ML3.3 | E8-MF-ML3.3 requires that MFA for data repository access is phishing-resistant | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.