Part 7 of our comprehensive Essential Eight cybersecurity series for Australian businesses.
The Password Problem
Passwords alone are no longer sufficient to protect your organization. With billions of stolen credentials available on the dark web, sophisticated phishing attacks, and automated password-guessing tools, relying solely on passwords is an invitation for compromise.
Multi-Factor Authentication (MFA) addresses this fundamental weakness.
What is Multi-Factor Authentication?
MFA requires users to provide two or more verification factors to access a resource:
- 1.Something you know – Password, PIN
- 2.Something you have – Phone, security key, smart card
- 3.Something you are – Fingerprint, face recognition
By requiring multiple factors, MFA ensures that a stolen password alone isn't enough for an attacker to gain access.
Why MFA is Essential
The Statistics
- ▸99.9% of account compromise attacks can be blocked by MFA (Microsoft)
- ▸80% of breaches involve compromised credentials
- ▸Phishing attacks increased by 61% in 2023
Common Attack Vectors Mitigated
- ▸Credential stuffing: Automated testing of stolen username/password pairs
- ▸Phishing: Tricking users into revealing passwords
- ▸Brute force: Automated password guessing
- ▸Password spraying: Testing common passwords across many accounts
- ▸Keylogging: Malware capturing typed passwords
Maturity Levels for MFA
Maturity Level One
- ▸MFA for remote access (VPN, RDP, cloud services)
- ▸MFA for privileged users (administrators)
- ▸MFA for third-party access
Maturity Level Two
- ▸MFA for all users accessing internet-facing services
- ▸MFA for all privileged access including on-premises
- ▸Phishing-resistant MFA methods for privileged accounts
Maturity Level Three
- ▸MFA for all users, all services
- ▸Phishing-resistant MFA only (FIDO2, smart cards)
- ▸Continuous authentication and risk-based access policies
MFA Methods Compared
| Method | Security | Usability | Phishing Resistant |
|---|---|---|---|
| SMS codes | Low | High | No |
| Email codes | Low | High | No |
| Authenticator apps (TOTP) | Medium | Medium | No |
| Push notifications | Medium | High | Partially |
| Hardware security keys (FIDO2) | High | Medium | Yes |
| Smart cards | High | Low | Yes |
| Biometrics + device | High | High | Partially |
Phishing-Resistant MFA
The ACSC increasingly recommends phishing-resistant MFA, especially for privileged access:
- ▸FIDO2 Security Keys: YubiKey, Google Titan, Feitian
- ▸Windows Hello for Business: Platform authenticator
- ▸Passkeys: Emerging standard for passwordless authentication
- ▸Smart Cards: Traditional PKI-based authentication
Implementation Strategy
Step 1: Prioritize High-Value Targets
Start with accounts that would cause the most damage if compromised:
- 1.Global administrators and IT staff
- 2.Finance and HR personnel
- 3.Executives and board members
- 4.Remote access users
- 5.All remaining users
Step 2: Choose Appropriate Methods
Select MFA methods based on:
- ▸User population: Technical comfort level
- ▸Access patterns: Mobile, remote, on-premises
- ▸Risk level: Standard users vs privileged access
- ▸Integration requirements: Existing systems and vendors
Step 3: User Communication and Training
MFA changes the user experience. Prepare users:
- ▸Explain why MFA is being implemented
- ▸Provide clear enrollment instructions
- ▸Offer multiple enrollment sessions
- ▸Establish support channels for issues
Step 4: Rollout Approach
- ▸Pilot group: Start with IT and early adopters
- ▸Phased rollout: Expand by department or location
- ▸Enforcement: Move from optional to required
- ▸Monitoring: Track enrollment and login issues
Step 5: Emergency Access Procedures
Plan for MFA failures:
- ▸Recovery codes: Securely stored backup codes
- ▸Alternate contact methods: Secondary phone/email for account recovery
- ▸Admin override procedures: For genuine lockouts
- ▸Break-glass accounts: Emergency access with enhanced monitoring
Common Challenges
User Resistance
Some users resist change. Address this with:
- ▸Executive mandate and communication
- ▸Clear explanation of the security benefits
- ▸Streamlined enrollment processes
- ▸Choice of MFA methods where possible
Legacy Applications
Not all applications support modern MFA. Options include:
- ▸Identity federation via SAML/OIDC
- ▸Reverse proxy with pre-authentication
- ▸Application upgrade or replacement
- ▸Compensating controls for exceptions
Lost Devices
Users will lose phones or security keys. Prepare with:
- ▸Self-service recovery options
- ▸Fast replacement processes
- ▸Temporary bypass procedures with logging
Beyond MFA: Conditional Access
Modern identity systems support context-aware access decisions:
- ▸Location-based: Block or require stronger auth from unusual locations
- ▸Device-based: Require compliant/managed devices
- ▸Risk-based: Increase requirements when risk signals detected
- ▸Time-based: Restrict access outside business hours
Next Steps
With strong authentication in place, you need to ensure you can recover from incidents. Our final Essential Eight article covers Regular Backups—your last line of defense against ransomware.
Ready to implement MFA? Cloudscape IT specializes in identity and access management for Australian businesses. Contact us for an MFA assessment and implementation roadmap.
---
This article is part of our Essential Eight cybersecurity series.
