"Hi, my name is Michael, and I'm a Cyber Security Consultant here at AC3.
In this video, I'll be covering the multi-factor authentication mitigation strategy that forms part of the ACSC Essential Eight.
Multi-factor authentication is the practice of not relying on just a username and password to grant access to the system. A secondary authentication factor like an app based notification on your mobile device or a hardware security key is used as well.
As best practice, multi-factor authentication should be used to authenticate all users each time they log on to an organisation's assets, a strategy known as Zero Trust.
To reach Maturity Level One of the Essential Eight, organisations need only implement multi-factor authentication for internet-facing services. Organisations at this maturity level can also continue to use phone or SMS based authentication, thought these are not completely secure and are not recommended.
At Maturity Level Two, organisations must authenticate all privileged access to systems, regardless of whether the system is internet-facing. Organisations can no longer use phone or SMS based authentication at this maturity level and must switch to a minimum of app or software token based auth.
Maturity Level Three primarily indicates a switch to hardware based authentication tokens. These are known as verifier impersonation resistant as they are the only MFA strategy where a user can't be tricked into thinking they are authorising their own access by an adversary.
This is because the hardware token only authorises the device with which it is physically in contact, rather than an app based prompt that can authorise an adversary on a different machine.
If you would like guidance on which maturity level is right for your organisation or how effective your mitigation strategies are, please reach out to the team. We'd love to help."
AC3's Essential Eight Security Control Assessment can benchmark your current strategies against the ACSC's Essential Eight maturity models. Find out more here.