Essential 8 - Multi-factor authentication.
Multi-Factor Authentication (MFA) adds security prompts after users submit their login credentials to verify each login and thwart cybercriminals.
As one of the simplest yet most effective security measures, MFA requires multiple credential layers, making unauthorized access significantly harder.
Essential 8 Maturity Level 2 Controls and our Solution.
| Multi-factor authentication is used to authenticate users to third-party online services that process, store or communicate their organisation’s sensitive data. |  |
| Multi-factor authentication (where available) is used to authenticate users to third-party online services that process, store or communicate their organisation’s non-sensitive data. | |
| Multi-factor authentication is used to authenticate users to third-party online customer services that process, store or communicate their organisation’s sensitive customer data. |
| Multi-factor authentication is used to authenticate users to their organisation’s online services that process, store or communicate their organisation’s sensitive data. |  |
| MFA is used to authenticate privileged users of systems. | |
| MFA is used to authenticate unprivileged users of systems. | |
| Multi-factor authentication uses either: something users have and something users know, or something users have that is unlocked by something users know or are. | |
| MFA used for authenticating users of online services is phishing-resistant. | |
| Multi-factor authentication used for authenticating customers of online customer services provides a phishing-resistant option. | |
| MFA used for authenticating users of systems is phishing-resistant. |
| Multi-factor authentication is used to authenticate users to their organisation’s online customer services that process, store or communicate their organisation’s sensitive customer data. |  |
| Multi-factor authentication is used to authenticate customers to online customer services that process, store or communicate sensitive customer data. |
| Successful and unsuccessful multi-factor authentication events are centrally logged. |  |
| Event logs are protected from unauthorised modification and deletion. | |
| Event logs from internet-facing servers are analysed in a timely manner to detect cyber security events. | |
| Cyber security events are analysed in a timely manner to identify cyber security incidents. | |
| Cyber security incidents are reported to the Chief Information Security Officer, or one of their delegates, as soon as possible after they occur or are discovered. | |
| Cyber security incidents are reported to ASD as soon as possible after they occur or are discovered. | |
| Following the identification of a cyber security incident, the cyber security incident response plan is enacted. |
Deliver Maturity Level 2 mandated MFA controls.
Few agencies are able to implement Essential 8 Maturity Level 2 MFA controls for external users of online systems. With our Application Protection solution, external users can be redirected via a WAF MFA page for compliant authentication.
