Skip to content
arrow_back
boltEssential 8

Multi-factor authentication

23 controls in this part of theEssential Eight mitigation strategies. Each control links to plain-English guidance, audit tips and cross-framework mappings.

E8-MF-ML1.1
Require multi-factor authentication for sensitive online services
E8-MF-ML1.2
Multi-factor authentication for third-party services handling sensitive data
E8-MF-ML1.3
Use multi-factor authentication for non-sensitive third-party services
E8-MF-ML1.4
Use multi-factor authentication for online services handling customer data
E8-MF-ML1.5
Multi-factor authentication for third-party services with sensitive customer data
E8-MF-ML1.6
Multi-factor authentication for customer access to online services handling sensitive data
E8-MF-ML1.7
Multi-factor authentication combines two factors like a device and a PIN
E8-MF-ML2.1
Multi-factor authentication for privileged users of systems
E8-MF-ML2.2
Use multi-factor authentication for unprivileged user access
E8-MF-ML2.3
Multi-factor authentication online services must be phishing-resistant
E8-MF-ML2.5
Multi-factor authentication used for system access is phishing-resistant
E8-MF-ML2.6
MFA success and failure events are centrally logged
E8-MF-ML2.7
Protect event logs from unauthorised changes
E8-MF-ML2.8
Timely analysis of event logs from internet-facing servers
E8-MF-ML2.9
Cybersecurity events are analysed to identify incidents timely
E8-MF-ML2.10
Report cyber security incidents to the Chief Information Security Officer promptly
E8-MF-ML2.11
Report cybersecurity incidents to ASD immediately
E8-MF-ML2.12
Cybersecurity incident response plan enacted after incident identification
E8-MF-ML3.1
Multi-factor authentication is used to authenticate users of data repositories
E8-MF-ML3.2
Phishing-resistant multi-factor authentication for online customer services
E8-MF-ML3.3
Phishing-resistant multi-factor authentication for data repositories
E8-MF-ML3.4
Analyse event logs from non-internet-facing servers timely to detect security events
E8-MF-ML3.5
Timely analysis of workstation event logs for cybersecurity events

Back to the full Essential Eight control list, or browse the complete control library.