Essential Eight Passkeys: Phishing-Resistant MFA

1. Introduction: Essential Eight Passkeys

The 2023-2030 Australian Cyber Security Strategy underscores Australia’s commitment to strengthening its cyber defense mechanisms. Central to this strategy is the Essential Eight / Essential 8 Framework. In November 2023, significant revisions were made to the Essential Eight / Essential 8 and myGov launched passkeys in June 2024 and Hon. Bill Shorten MP announced days after the launch:

“within days of passkeys being available on myGov, over 20,000 Australians have already created a passkey for their myGov account.”

These adjustments and strong efforts of the government reflect the evolving cyber threat landscape and the necessity for more robust security measures. In this article, we will focus on the authentication aspects and answer the following questions:

• What is Essential Eight and the Maturity Levels?
• What requirements exist for multi-factor authentication?
• How can phishing-resistant authentication be achieved with passkeys?

2. What is the Essential Eight Framework?

The Essential Eight is a set of baseline mitigation strategies developed by the Australian Cyber Security Centre (ACSC) to help organizations strengthen their cyber defenses. Originally introduced in 2017, the Essential Eight framework was designed to provide a practical and effective foundation for mitigating cyber threats. The framework was created in response to the growing frequency and sophistication of cyberattacks, recognizing the need for a standardized approach to enhance the cyber resilience of Australian organizations.

2.1 Purpose of the Essential Eight Framework

The primary purpose of the Essential Eight is to protect systems and data from a wide range of cyber threats. It provides organizations with a clear, structured approach to implementing essential security measures. By adopting these strategies, organizations can significantly reduce the risk of cyber incidents and improve their overall security posture. The Essential Eight is applicable to all types of organizations, regardless of their size or industry, making it a versatile and comprehensive framework.

Historically, the Essential Eight has played a critical role in advancing Australia's cyber security strategy. It aligns with the broader objectives of the Australian Cyber Security Strategy, which aims to create a secure and resilient digital environment for the country. The framework is periodically reviewed and updated to address emerging threats and incorporate advancements in security technologies.

2.2 Key Mitigation Strategies of the Essential 8 Framework

The Essential Eight framework consists of eight key mitigation strategies, each addressing a specific aspect of cyber security. These strategies include:

1. Application Whitelisting: Ensuring only approved applications can execute.
2. Patching Applications: Regularly updating applications to fix security vulnerabilities.
3. Configuring Microsoft Office Macro Settings: Disabling or restricting macros to prevent malicious code execution.
4. User Application Hardening: Applying security settings to user applications to reduce vulnerabilities.
5. Restricting Administrative Privileges: Limiting administrative access to prevent unauthorized changes and reduce the attack surface.
6. Patching Operating Systems: Keeping operating systems up to date with the latest security patches.
7. Multi-Factor Authentication: Implementing MFA to enhance organization’s users and customer authentication and protect against unauthorized access.
8. Regular Backups: Conducting regular backups to ensure data can be restored in the event of an incident.

The framework also introduces the concept of Maturity Levels, which help organizations gauge their implementation progress and set security goals based on their size and the criticality of their service. By progressing through these maturity levels, organizations can continuously enhance their security capabilities and resilience.

3. Essential Eight Maturity Levels

The Essential Eight framework introduces a maturity model to help organizations assess their current security posture and set achievable goals for improvement. This model consists of three distinct maturity levels, each representing a different stage of cyber hygiene and security measures (note that there is actually a fourth maturity level 0, but which is equal to having not maturity at all).

3.1 Overview of the Essential Eight Maturity Model

The maturity model provides a structured approach for organizations to enhance their cyber defenses progressively. Each maturity level corresponds to a set of security practices and measures appropriate for the organization's size, complexity, and the criticality of their data and services.

3.2 Essential Eight Maturity Level 0: No Cyber Hygiene

Maturity Level 0 represents organizations that have either incomplete or no cyber hygiene measures in place. These organizations are highly vulnerable to cyber threats and must begin implementing basic security practices.

3.3 Essential Eight Maturity Level 1: Basic Cyber Hygiene

Maturity Level 1 focuses on establishing foundational security practices. Organizations at this level typically have minimal cyber security measures in place and are beginning to address common threats. This level is suitable for:

• Small Businesses: Small businesses with limited IT resources and budget, typically fewer than 50 employees.
• Startups: New companies in the early stages of development, focusing on product-market-fit.
• Organizations New to Cyber Security: Entities that are just starting to implement formal cyber security practices, such as local non-profits or community organizations.

3.4 Essential Eight Maturity Level 2: Enhanced Security Measures

Maturity Level 2 builds on the foundational practices established in Level 1, introducing more advanced security measures to address a broader range of threats. Organizations at this level should already have a strong understanding of cyber security and are working to enhance their defenses. This level is suitable for:

• Medium-Sized Enterprises: Companies with 50 to 500 employees, with a growing IT infrastructure and increased risk exposure.
• Organizations with Sensitive Data: Entities handling sensitive customer, PII-relevant data or proprietary information, such as law firms, healthcare providers, and educational institutions.
• Businesses in Regulated Industries: Organizations subject to regulatory requirements that mandate stronger security controls, such as financial services, insurance companies, and telecommunications.

3.5 Essential Eight Maturity Level 3: Advanced Security Posture

Maturity Level 3 represents the highest level of cyber security maturity within the Essential Eight framework. Organizations at this level must implement comprehensive and advanced security measures to protect against sophisticated threats and have already started to roll out passkeys:

• Large Enterprises: Companies with over 500 employees and extensive IT infrastructure, such as multinational corporations and conglomerates.

• Critical Infrastructure Providers: Organizations responsible for essential services, including utilities, healthcare systems, and transportation networks (e.g. Telstra).

• High-Value Targets: Entities that are likely targets for advanced persistent threats (APTs) and other sophisticated cyberattacks, such as major tech companies, financial institutions, insurances or platform with a lot of personal identifiable information.

• Government Functions: Federal, state, and local government agencies responsible for national security, public safety, and critical public services for citizens.

Understanding these maturity levels helps organizations identify their current security posture and develop a roadmap for continuous improvement, aligning with the broader goals of Australia's 2023-2030 Cyber Security Strategy.

4. Why is Multi-Factor Authentication One of the Most Important Elements of Essential Eight

Protecting authentication is one of the most important aspects of cybersecurity. Authentication is the gate to data access and failing to protect credentials is the root of many cybersecurity incidents.

4.1 What Multi-Factor Authentication Factors Exist under Essential Eight?

Multi-Factor Authentication (MFA) under the Essential Eight framework requires the use of multiple authentication methods from different authentication categories to verify the identity of users. The categories include:

• Knowledge: something the user knows (e.g., password or PIN)
• Possession: something the user has (e.g., a physical token or smartphone), and
• Inherence: something the user is (e.g., biometric verification).

The updated guidelines specify that MFA should not rely on two factors from the same category, e.g. two knowledge-based factors.

Prior to the update, security questions were often used as a secondary factor. However, this is no longer acceptable due to the increased risk of these factors being compromised. The Essential Eight now mandates the use of more secure and varied authentication methods to ensure robust protection against phishing and other cyber threats.

Factor Overview for Essential Eight MFA

The official Essential Eight Assessment Process Guide lays out more details and assessment of authentication factors:

Most current deployments use passwords as the first factor which is then combined with another factor. The table makes transparent that passkeys are the only authentication method that performs well on all characteristics.

While most characteristics do not need an explanation, the following require some background knowledge:

• Suitable for workforce:The suitability of an authentication factor for the workforce considers its practicality, deployment, and security effectiveness for employees.Authentication factors like security keys, smart cards, passkeys, and software OTPs are suitable due to their high security and manageability in a corporate environment.
• Suitable for business customers:For business customers (medium to big enterprises), the suitability of an authentication factor is assessed based on its appropriateness for accessing enterprise services.
• Suitable for consumer customers:When considering consumer customers, the suitability of an authentication factor focuses on ease of use and accessibility.Passkeys, software OTPs, SMS OTPs and app push notifications are suitable for consumers due to their balance of usability and security.SMS OTPs continue to be extremely popular among consumers. 80-90% of consumers decide to use SMS OTPs as factor when they are free to select with passkey catching up. In contrast, security keys and smart cards are unusable for consumer use due to their hardware requirements, complexity and non-existing distribution.

After we have discussed the MFA factor definitions of the Essential Eight framework and compared the most important MFA factors and their characteristics, we will now investigate how Essential Eight categorizes sensitive data.

4.2 What’s Data Sensitivity Under Essential Eight?

Understanding the differences of sensitive data is important because different requirements follow. The Essential Eight Framework distinguishes between sensitive organizational and sensitive customer data.

4.2.1 What’s Sensitive Organizational Data Under Essential Eight?

Sensitive organizational data pertains to information that is crucial to the operations and security of an organization. Unauthorized access or disclosure of this data can have serious implications for the organization's functioning and security posture.

Non-sensitive organizational data includes information that is not critical to the organization's security or operations and does not pose a significant risk if disclosed. This type of data is still protected, but with less stringent measures compared to sensitive data.

Around organizational data, there is low confusion about sensitivity, most of the time both data exist at the same place. Therefore, nearly all companies treat all organizational data as sensitive data, and the higher requirements are applied to authentication.

4.2.2 What’s Sensitive Customer Data Under Essential Eight?

Sensitive customer data includes personal information that, if disclosed, could cause significant harm or distress to individuals. This type of data is protected under stricter security measures due to its critical nature.

Although the Essential Eight framework does not explicitly reference non-sensitive customer data, there might be situations where services might only process uncritical data. Non-sensitive customer data would include information that, if disclosed, does not pose a significant risk to the individual’s privacy or security. The following table can act as guidance to what customer data could be classified as sensitive customer data.

Nearly all consumer-facing services that allow customers to purchase services or goods today include some sort of personal data or privacy-related information under Australian Privacy Principles (APPs). There is no clear definition of the extent to which sensitive customer data are covered.

4.3 Essential Eight MFA Requirements

We have now explained two of the three important components that determine the resulting MFA requirements:

• Maturity Level: Maturity Level 1, Maturity Level 2, Maturity Level 3
• Sensitivity of the data being accessed: Sensitive or not sensitive

The last important component is who is authenticated:

• Type of user: Customer vs. Workforce

This structured approach ensures that the appropriate level of security is applied based on the risk and impact associated with a possible breach. Based on the associated risk, Essential Eight has three possible requirements and recommendations:

The following table shows when the Essential Eight framework requires which authentication by Maturity Level, data sensitivity and type of user.

The red table cells show that companies at Maturity Level 2 or higher must implement phishing-resistant multi-factor authentication.

4.4 Phishing-Resistant MFA is the New Standard

It is a clear commitment by the Australian Government and all its advisors to push for passkeys as a replacement for passwords. Enforcing phishing-resistance also for consumers was only made possible by the advent of passkeys (passkeys are referenced frequently on the governmental Essential 8 page).

While phishing-resistant authentication for “organizational users” / workforce can be done via workforce Single-Sign-On or Identity Providers (IdPs) like Azure AD or Google Workspace, phishing-resistant customer authentication is difficult:

• Business customers (B2B/B2G): Phishing-resistant authentication for business customers is achievable via SSO / IdP While medium-/big-sized business customers might have hardware security keys (e.g. YubiKeys) in their company most of the time, they will connect to online services using their own SSO / IdP system, as they also adhere to Essential Eight requirements securing authentication this way. Smaller-/medium-sized business customers mostly do not have an SSO / IdP yet and therefore authenticate like consumers.
• Consumer customers (B2C/G2C): Phishing-resistant authentication for consumers is only achievable with passkeys Passkeys are the only phishing-resistant multi-factor authentication that has a substantial coverage and that can be used to achieve Essential Eight requirements for phishing-resistant multi-factor authentication of consumer customers.

Next, we will focus on how to implement phishing-resistant consumer MFA for companies and government agencies.

5. Implementing Phishing-Resistant MFA for Consumers with Passkeys

The Australian Cyber Security Strategy and Essential Eight framework require organizations to implement phishing-resistant MFA (via passkeys). Our whitepaper provides an overview and shows how to implement passkeys efficiently and what the business impact is.

Unlock the Full Potential of Essential Eight Passkeys

• Enhanced Security, Autologin, Compliance with ACSC Guidelines

Steps to Implement Phishing-Resistant MFA

• Register Passkeys: Focus on Risk Management, Cross-Device Authentication (CDA), Gradual Rollout, Comprehensive Logging, Conversion Funnel Optimization, A/B Testing, Consumer Messaging
• Login with Passkeys: Embedded approach, Benefits and Challenges of Separate Passkey Buttons
• Fallbacks & Recovery for MFA: Support all devices, Integrate with Fallbacks, Integrate with Customer Support for MFA recovery

Measuring Implementation Success

• Monitor Passkey Login Rate on customer accounts with passkeys
• Gradually Increase Passkey Adoption Rate on capable devices

6. Recommendation

Integrating phishing-resistant MFA, specifically through passkeys, is important for future-proofing organizational cyber security in line with the Essential Eight framework. Here are several recommendations to ensure a successful transition:

6.1 Start Early with Your Passkeys Implementation

• Early Adoption: Begin collecting passkeys as soon as possible. This will provide ample time to familiarize with the technology and its integration into existing systems.
• Preparation: Early adoption will also ensure that you are well-prepared for future updates to the Essential Eight, where passkeys will be mandated.

6.2 Focus on Preparation and Riskless, Gradual Passkey Rollout

• Risk Management: Develop a comprehensive risk management strategy to mitigate potential issues during the rollout and retain the ability to A/B test different strategies.
• Gradual Rollout: Implement passkeys in stages to manage and resolve any issues before full deployment. This can help in identifying and rectifying unforeseen challenges without disrupting operations.

6.3 Aim for High Passkey Adoption and High Passkey Login Rates

• User Engagement: Educate users about the benefits of passkeys to encourage adoption. Highlight aspects such as enhanced security and convenience.
• User Experience: Optimize the user experience to ensure that passkey login is as seamless as possible on all available device types.

6.4 Robust MFA Recovery Strategy

• Fallback Mechanisms: Ensure that there are reliable fallback mechanisms in place for MFA recovery. This is crucial for maintaining access in case of lost or compromised authentication factors.
• Support Systems: Integrate recovery options deeply into customer support systems to assist users promptly and effectively.

6.5 Learn from Early Adopters

• Avoid Mistakes: Analyze and avoid the mistakes made by early adopters, such as myGov. Common pitfalls include inadequate user education or insufficient support for transition to passkeys.
• Best Practices: Implement best practices from successful implementations by big consumers portals like Google, Apple, and Kayak. These organizations have demonstrated effective strategies for passkey adoption and MFA integration.

By following these recommendations, organizations can not only comply with the Essential Eight requirements but also significantly enhance their overall cyber security posture. Transitioning to passkeys will position organizations to better handle emerging cyber threats, ensuring a safer and more resilient digital environment.

7. Conclusion: Essential 8 MFA with Passkeys

The Essential Eight framework, developed by the Australian Cyber Security Centre (ACSC), represents a critical component of Australia's national cyber security strategy. It aims to provide organizations with a comprehensive and structured approach to mitigating cyber threats. Through this article, we've explored the Essential Eight framework, focusing on the following key questions:

• What is Essential Eight and the Maturity Levels? The Essential Eight framework consists of eight key mitigation strategies designed to enhance cyber security. These strategies include application whitelisting, patching applications, configuring macro settings, user application hardening, restricting administrative privileges, patching operating systems, multi-factor authentication (MFA), and regular backups. The framework also introduces a maturity model with three levels, each representing different stages of cyber hygiene and security measures.
• What requirements exist for multi-factor authentication (MFA)? MFA is a crucial element of the Essential Eight framework, requiring multiple authentication methods from different categories to verify user identities. These categories include something the user knows (e.g., password or PIN), something the user has (e.g., physical token or smartphone), and something the user is (e.g., biometric verification). The framework emphasizes the use of secure and varied authentication methods to prevent phishing and other cyber threats.
• How can phishing-resistant authentication be achieved with passkeys? Phishing-resistant MFA is increasingly recognized as a necessary standard. Passkeys make this possible, they combine the benefits of strong authentication with user convenience. Passkeys provide a high level of security by utilizing biometric data and cryptographic keys, making them resistant to phishing attacks. Implementing passkeys involves steps like registering passkeys, using an identifier-first approach, and ensuring robust fallback and recovery options.

In conclusion, the Essential Eight framework offers a robust and adaptable approach to improving cyber security across organizations of all sizes. By progressing through the maturity levels, organizations can enhance their security posture and resilience against cyber threats. The shift towards phishing-resistant MFA, particularly through the adoption of passkeys, aligns with the framework's emphasis on strong authentication. As the Australian government continues to update and refine the Essential Eight, organizations should prioritize the implementation of these strategies to safeguard their systems and data effectively.