ASD updates Essential Eight, strengthens phishing-resistant MFA requirements

Thu, 1st Feb 2024

The Australian Signals Directorate (ASD) has recently updated the Essential Eight Maturity Model, according to Yubico, leaders in hardware authentication security keys. Changes include improving phishing-resistant multi-factor authentication (MFA) requirements for organisations at a lower maturity level (Maturity Level Two), positioning this as a welcome development in breach prevention.

Originally crafted by the ASD in 2017, the Essential Eight Maturity Model features strategic mitigations to fend off cyber threats, with the Essential Eight being the most effective. Updates are made regularly, drawing from the ASD's cyber threat responses, penetration testing experiences, and global partnerships.

Geoff Schomburgk, Yubico's Regional Vice President, Asia Pacific & Japan (APJ), tied these modifications to the Federal Government's recently unveiled Cyber Security Strategy 2023-2030. The revisions have amplified phishing-resistant MFA demands, applying them to Maturity Level 2, and not just Maturity Level 3 (ML3).

“The Essential Eight is a fantastic framework of how organisations can better protect themselves against cyber breaches. The recent changes made by the ASD are very welcome and raise the bar for more organisations to adopt phishing-resistant MFA," explained Schomburgk. He also recognised the importance of this shift towards MFA adoption and how it aids in safeguarding the digital identities of customers and individuals nationwide.

However, the Commonwealth Cyber Security Posture 2023 report paints a concerning picture, revealing that only 53% of Federal Government agencies complied with the old ML2. With the updated changes, unless immediate action is taken, this figure is set to plummet. Less efficient MFA methods such as SMS or mobile authentication have shown vulnerability to phishing attacks, and will no longer be part of ML2. Modern phishing-resistant MFA methods, involving hardware bound passkeys, are now the more secure alternative.

Passkeys, or discoverable FIDO credentials, provide passwordless authentication through cryptographic security keys stored on user devices or computers. Although not a new technology, hardware-bound passkeys like those contained in YubiKeys cannot be copied and offer a fresh approach to the existing FIDO authentication.

Schomburgk highlighted the extension of phishing-resistant MFA requirements for the Essential Eight to include both Maturity Level 2 and 3, as well as online customer services. Furthermore, additional online customer services such as online banking, telecoms, and utilities are now included in the Essential Eight, helping to better protect more individuals. Major e-commerce platforms like eBay, Amazon, and PayPal already endorse passkeys.

The Transcending Passwords: The Next Generation of Authentication report states organisations utilising FIDO-based passwordless authentication technologies can significantly reduce their risk of phishing attacks and cut authentication times by up to 75%. A majority of businesses surveyed (82%) have already suffered breaches - including compromised credentials and successful phishing attacks – with 68% attributing this to employees violating corporate password protocols. Adopting passwordless authentication could prevent the majority of breaches, as stated by most IT managers surveyed.

“We’re thrilled about the recent changes to the Essential Eight and hope more organisations and individuals make the recommended changes so that the internet can be safer for everyone", concluded Schomburgk.