Essential Eight: Understanding Phishing-Resistant MFA Updates - Authsignal

In November 2023, the Australian Signal's Directorate (ASD) updated the Essential Eight Maturity Model. We break down the key aspects of Essential Eight and explain the changes specifically relating to Multi-factor authentication.

‍

MFA Changes Essential Eight

The summary of the changes to the Essential Eight maturity levels in relation to Multi-Factor Authentication (MFA) is as follows:

1. Revision of MFA Standards in Maturity Level One: Initially, Maturity Level One did not specify the types of authentication factors for MFA, leading to the use of weaker forms like biometrics, security questions, or 'Trusted Signals.' These forms are not recognized as valid by standards. A new standard has been introduced at this level, requiring MFA to include 'something users have' and 'something users know,' thus enhancing security.
2. Enforcement of MFA for Sensitive Customer Data Web Portals: Organizations must now enforce MFA for web portals storing sensitive customer data, such as personal, health, or identity-related information. This change, affecting Maturity Level One through Maturity Level Three, addresses ongoing attacks on password-only systems. It amends previous requirements that allowed customers to opt out of MFA in favor of weaker password authentication.
3. Adoption of Phishing-Resistant MFA Options: The option for phishing-resistant MFA is now provided for customers at lower maturity levels, while its use is mandatory at higher maturity levels. This approach is a response to the rise in attacks against weaker MFA implementations and aims to enhance security across all maturity levels.
4. Increased Emphasis on Phishing-Resistant MFA in Maturity Level Two: Maturity Level Two now requires the adoption of phishing-resistant MFA, in line with international standards like FIDO2/WebAuthn. This change addresses the vulnerability of weaker MFA methods to real-time phishing and social engineering attacks.
5. Requirement for Phishing-Resistant MFA for Workstation Authentication: At Maturity Levels Two and Three, there is a new requirement for users to authenticate to their workstations using phishing-resistant MFA methods, such as smart cards, security keys, or Windows Hello for Business. This change aims to further bolster cybersecurity measures in the workplace.

These updates reflect a shift towards more stringent and effective MFA practices to counteract the evolving landscape of cybersecurity threats.

‍

Changes by maturity level for MFA

Maturity Level One

1. Multi-Factor Authentication for sensitive customer data: Eliminating the option for customers to easily bypass multi-factor authentication in online services that handle sensitive customer data.
   1. This means customers need to be enrolled and not opt out of MFA.
2. Explicit definition Multi-Factor Authentication: Introducing a mandate for multi-factor authentication to employ either a combination of something users possess and something they know or something users possess that is activated by either something they know or an inherent characteristic they have.some text
   1. This excludes weak forms of "pseudo" MFA options like "trusted" device signals or behavioral biometrics