We already have MFA on email. Isn't that enough?

No. Email is where MFA started, but the attack surface is broader: admin consoles, VPN, remote-desktop gateways, cloud apps, file-sharing services. Partial MFA is worse than full MFA because it creates false confidence. The attacker just pivots to the account without MFA.

What about SMS codes? Those are still common.

SMS is deprecated as an MFA factor in the current ACSC model and in virtually every modern cybersecurity framework. SIM-swap attacks against Australian mobile accounts are now industrialised. We migrate off SMS as part of every MFA rollout.

Our staff hate MFA prompts. What can you do?

We tune Conditional Access so trusted devices on the corporate network don't prompt for MFA on every session, only when risk signals change. That typically brings prompts down to a few a week per user. Phishing-resistant methods (Authenticator with number matching, FIDO2 keys) are also faster than typing a code. Users adjust within the first week.

What happens if someone loses their MFA device?

We run an identity-verified recovery process: a scheduled call to their known number, a validated ID check through their manager, and a temporary access pass to re-enroll a new device. It's the same process whether you lose your phone on holiday or your FIDO key in the car park. No bypassing MFA 'just this once'.

Essential Eight · Control 07 of 08

Multi-factor authentication

Requiring something more than a password to log in (a code, a key, an app).

Why this control matters

Password theft via phishing remains the most common way businesses are compromised. MFA forces the attacker to steal something they can't just type into a fake login page. It's the single highest-impact control to deploy, and the one most businesses already have partially deployed (which is worse than fully deployed, because it creates false confidence).

The three maturity levels

Multi-factor authentication at Essential Eight ML1, ML2 and ML3.

These are the published ACSC requirements for this specific control at each maturity level. Your overall Essential Eight maturity is scored against your weakest control, not averaged, so a gap here pulls down the whole score.

ML1 The 2026 baseline

MFA is applied to internet-facing services, to cloud services that store sensitive data, and to privileged users. Phishing-resistant methods are used where possible.

ML2 Regulated or under audit

MFA is applied to all users accessing important data. MFA uses phish-resistant methods (FIDO2 keys, certificates, or equivalent). MFA events are logged.

ML3 Defence or sensitive

MFA is phishing-resistant for all users accessing important data. MFA logs are monitored centrally. The second factor cannot be used in isolation.

Not sure which level you should aim for?

The three-question picker on the Essential Eight hub will point you at the right target based on your regulatory position and the kind of data you hold.

Take the maturity picker

How we run it

The way CCP implements multi-factor authentication for clients.

We deploy phishing-resistant MFA first (Microsoft Authenticator with number matching as baseline, FIDO2 keys for privileged accounts). SMS is retired as a factor. Conditional Access policies require MFA from unmanaged devices and untrusted locations. MFA events are logged centrally; we review failed MFA challenges as a detection signal, not just a support ticket.

Talk to a tech about this control See which plan includes it

Free self-assessment

No email required.

Score yourself on all eight controls, get a branded PDF.

Eight questions, your estimated Essential Eight maturity level, and a branded PDF report you can share with your board, insurer, broker or auditor. Runs entirely in your browser. Nothing is sent to us unless you choose to book a call.

Take the self-assessment

Common questions

What people actually ask about multi-factor authentication.

We already have MFA on email. Isn't that enough?: No. Email is where MFA started, but the attack surface is broader: admin consoles, VPN, remote-desktop gateways, cloud apps, file-sharing services. Partial MFA is worse than full MFA because it creates false confidence. The attacker just pivots to the account without MFA.
What about SMS codes? Those are still common.: SMS is deprecated as an MFA factor in the current ACSC model and in virtually every modern cybersecurity framework. SIM-swap attacks against Australian mobile accounts are now industrialised. We migrate off SMS as part of every MFA rollout.
Our staff hate MFA prompts. What can you do?: We tune Conditional Access so trusted devices on the corporate network don't prompt for MFA on every session, only when risk signals change. That typically brings prompts down to a few a week per user. Phishing-resistant methods (Authenticator with number matching, FIDO2 keys) are also faster than typing a code. Users adjust within the first week.
What happens if someone loses their MFA device?: We run an identity-verified recovery process: a scheduled call to their known number, a validated ID check through their manager, and a temporary access pass to re-enroll a new device. It's the same process whether you lose your phone on holiday or your FIDO key in the car park. No bypassing MFA 'just this once'.

Related controls

Related Essential Eight controls that work alongside this one.

See all eight

Control 05

Restrict administrative privileges

Making sure only the people who need admin rights have them, and only when they need them.

Read the control

Control 08

Regular backups

Keeping copies of your important data somewhere safe, and regularly testing that you can actually restore them.

Read the control

Control 04

User application hardening

Turning off features in web browsers and Office that attackers commonly abuse.

Read the control

These ML1 / ML2 / ML3 summaries distil the ACSC's published Essential Eight Maturity Model. For the full, authoritative text, see the ACSC Essential Eight Maturity Model .

The qualifier

Let's see if we're a fit.

Seven questions, one moment of your time. We'd rather tell you now than three months in.