Essential Eight · Control 7

7.Multi-Factor Authentication

Last reviewed: 15 May 2026

Require multi-factor authentication for users accessing systems, especially privileged accounts and internet-facing services.

Why this mattersPassword theft is involved in the majority of Australian breaches. Phishing-resistant factors (FIDO2, Windows Hello for Business, smart cards) become mandatory at ML2 and saturate the fleet at ML3.

Maturity-level breakdown

Maturity Level 1

Multi-factor authentication is used to authenticate users to their organisation's online services that process, store, or communicate sensitive data. MFA is used to authenticate users of internet-facing services. MFA uses either: something users have, plus something they know; or something they are, plus something they have or know. Any MFA method, including SMS one-time codes, is technically compliant at ML1.

Maturity Level 2

Multi-factor authentication is phishing-resistant. MFA is used to authenticate privileged users of systems. MFA is used to authenticate users of data repositories. MFA is used to authenticate users to their organisation's online services that process, store, or communicate sensitive data — and to authenticate users when accessing their organisation's workstations.

Maturity Level 3

Phishing-resistant MFA is used to authenticate users of all internet-facing services. Phishing-resistant MFA is used to authenticate users when accessing all of their organisation's online services. Phishing-resistant MFA is used to authenticate users when accessing third-party online services. Successful and unsuccessful multi-factor authentication events are centrally logged.

EDUC4TE editorial note · applies to all maturity levels

EDUC4TE recommends phasing out SMS one-time codes at every maturity level, including ML1 where they are technically compliant. SMS OTP is vulnerable to SIM-swap and phishing attacks that drive most credential-theft breaches in Australian organisations. Phishing-resistant factors (FIDO2 hardware keys, Windows Hello for Business, smart cards) are mandatory at ML2 and saturate the fleet at ML3 — deploying them now avoids a second migration when your maturity uplift hits ML2.

Common gaps we see at ML2 assessments

MFA enforced for users but not service accounts
No workstation-logon MFA at ML2 (required by ASD)
Phishing-resistant factors only deployed to IT staff, not all privileged users

EDUC4TE has helped Australian organisations close these specific gaps — see the IRAP readiness guidance →

ASD official guidance

cyber.gov.au — MFA ↗

Mapped ISM controls

ISM-1173 · ISM-1384 · ISM-1504