In November 2023, the Australian Signal's Directorate (ASD) updated the Essential Eight Maturity Model. We break down the key aspects of Essential Eight and explain the changes specifically relating to Multi-factor authentication.
MFA Changes Essential Eight (November 2023)
The summary of the changes to the Essential Eight maturity levels in relation to Multi-Factor Authentication (MFA) is as follows:
- Revision of MFA Standards in Maturity Level One: Initially, Maturity Level One did not specify the types of authentication factors for MFA, leading to the use of weaker forms like biometrics, security questions, or 'Trusted Signals'. These forms are not recognized as valid in standards. Now, a new standard has been introduced at this level, requiring MFA to include 'something users have' and 'something users know,' thus enhancing security.
- Enforcement of MFA for Sensitive Customer Data Web Portals: Organizations are now required to enforce MFA for web portals storing sensitive customer data, such as personal, health, or identity-related information. This change, affecting Maturity Level One through Maturity Level Three, addresses ongoing attacks on password-only systems. It amends previous requirements that allowed customers to opt out of MFA in favor of weaker password authentication.
- Adoption of Phishing-Resistant MFA Options: The option for phishing-resistant MFA is now provided for customers at lower maturity levels, while its use is mandatory at higher maturity levels. This approach is a response to the rise in attacks against weaker MFA implementations and is aimed at enhancing security across all maturity levels.
- Increased Emphasis on Phishing-Resistant MFA in Maturity Level Two: Maturity Level Two now requires the adoption of phishing-resistant MFA, in line with international standards like FIDO2/WebAuthn. This change addresses the vulnerability of weaker MFA methods to real-time phishing and social engineering attacks.
- Requirement for Phishing-Resistant MFA for Workstation Authentication: At Maturity Levels Two and Three, there is a new requirement for users to authenticate to their workstations using phishing-resistant MFA methods, such as smart cards, security keys, or Windows Hello for Business. This change aims to further bolster cybersecurity measures in the workplace.
These updates reflect a shift towards more stringent and effective MFA practices to counteract the evolving landscape of cybersecurity threats.
Changes by maturity level for MFA
Maturity Level One
- Multi-Factor Authentication for sensitive customer data: Eliminating the option for customers to easily bypass the use of multi-factor authentication in online services that handle sensitive customer data.
- This means customers need to be enrolled and not opt out of MFA.
- Explicit definition Multi-Factor Authentication: Introducing a mandate for multi-factor authentication to employ either a combination of something users possess and something they know or something users possess that is activated by either something they know or an inherent characteristic they have.
- This excludes weak forms of "pseudo" MFA options like "trusted" device signals or behavioral biometrics
Maturity Level Two
- Multi-Factor Authentication for Online Customer Services: The previous option allowing customers to opt out of using MFA for online services that process, store, or communicate sensitive data has been removed. All such services must now implement MFA.
- MFA for Device Access by Unprivileged Users: A new requirement mandates the use of MFA for unprivileged users to authenticate to their devices, enhancing device-level security.
- Phishing-Resistant MFA for Online Services: MFA used in authenticating users of online services must now be resistant to phishing attacks.
- Phishing-Resistant MFA Option for Customers: Online customer services must provide a phishing-resistant MFA option for customer authentication.
- Phishing-Resistant MFA for System Access: MFA used for authenticating users to their systems must also be phishing-resistant.
Maturity Level Three
- Mandatory Multi-Factor Authentication for Online Customer Services: The option for customers to bypass multi-factor authentication in online services managing sensitive data has been eliminated. Now, MFA is compulsory for such services.
- Multi-Factor Authentication for Unprivileged User Device Access: A new rule requires the use of multi-factor authentication for unprivileged users to gain access to their devices.
- Expanded Multi-Factor Authentication for All Data Repositories: The implementation of multi-factor authentication has been expanded from just important data repositories to all data repositories. While this is now a universal requirement, prioritizing important data repositories is still recommended.
A welcomed advancement
The ASD's MFA pillar updates are a welcomed advancement and recognize the prevalence of phishing-resistant MFA factors like FIDO2/WebAuthn Passkeys.
The shift towards more deterministic measures like phishing-resistant passkeys away from probabilistic factors like trusted signals and weak forms of authentication like PINs/passwords, is also a major step change, giving clarity for anyone looking to align their security programs and postures to the Essential Eight.
Authsignal can help to rapidly help your organization meet Essential Eight compliance with our drop-in solutions, so please drop us a line or create a test account to get started.