A.8.5 Secure Authentication

What is this control?

ISO 27001 control A.8.5 Secure Authentication enforces secure authentication across the organisation by prohibiting single-factor password-only authentication. The control implements tiered multi-factor authentication where administrators use phishing-resistant methods including FIDO2, Windows Hello for Business, and Certificate-based authentication, while standard users use strong MFA methods including Authenticator and Windows Hello. Legacy authentication protocols are blocked and weak authentication methods are disabled.

How to implement in Microsoft 365

Implement A.8.5 by enabling Conditional Access MFA Policies requiring MFA for all users with target coverage of 95% or higher. Implement Phishing-Resistant MFA for Admins by configuring Authentication Strengths requiring FIDO2, Windows Hello, or certificate-based auth for administrators. Deploy Windows Hello for Business via Intune on all Windows devices as primary authentication.

Block Legacy Authentication by creating Conditional Access policy with condition Client apps set to Legacy authentication and action set to Block. Disable Weak Authentication Methods in Entra ID by disabling SMS, Voice, and Email OTP. Enable FIDO2, Microsoft Authenticator, and Windows Hello.

What an auditor looks for

Auditors will verify at least one Conditional Access policy enforcing MFA with 95% or higher user coverage. They will check that SMS and Voice authentication methods are disabled. Auditors will verify FIDO2, Windows Hello for Business, and Authenticator are enabled.

They will check that phishing-resistant MFA is required for administrators. Auditors will verify legacy authentication blocking policy is active with legacy auth condition set to Block. They will check Terms of Use policy is deployed and linked to Conditional Access.

Auditors will verify sign-in logs are actively collecting recent events.