Topic

Multi-factor authentication

Applicable to

all

History

Dec 2023

Multi-factor authentication is used to authenticate customers to online customer services that process, store or communicate sensitive customer data.

The existing control relating to multi-factor authentication being used to authenticate users to online customer services, but users being able to opt out, was amended to remove the opt out clause. This control was also reworded to reference customers authenticating to such services in order to access their own sensitive customer data.

Sep 2023

Multi-factor authentication is used by default to authenticate users to online customer services that process, store or communicate sensitive data, however, users may choose to opt out.

The existing control relating to an organisation’s non-organisational users using multi-factor authentication to authenticate to the organisation’s online services (but being able to opt out) was rewritten to clearly articulate the underlying intent. Specifically, the use of multi-factor authentication by users of online customer services (e.g. citizen-facing services) that process, store or communicate sensitive data (e.g. personally identifiable information) – not, for example, non-organisational users, such as contractors and service providers, opting out of using multi-factor authentication for remote access to an organisation they are supporting.

Jun 2023

Multi-factor authentication is enabled by default for an organisation’s non-organisational users (but users can choose to opt out) if they authenticate to the organisation’s internet-facing services.

A minor grammatical change was made to an existing control relating to multi-factor authentication being enabled by default for an organisation’s non-organisational users if they authenticate to the organisation’s internet-facing services.