Over the last few weeks, the Australian government has made big strides in further bolstering its digital security posture by enacting major cybersecurity measures. Australia has a goal to be a global leader in cybersecurity by 2030, and these recent measures are making impactful steps toward reaching this mission. First, the government announced that myGov – a simple and secure way for citizens to access government services online in one place – will transition to be fully passwordless, including introducing phishing-resistant multi-factor authentication (MFA) options like passkeys to sign into accounts.
myGov’s move toward adopting passkeys follows recent experiences facing breaches due to stolen login credentials from phishing attacks. Just this year, 4,500 successful breaches have resulted in $3.1 billion in losses – which led to thousands of myGov accounts being suspended to proactively thwart new breaches.
Additionally, in November the Australian Government released its Australian Cyber Security Strategy 2023-2030 which will impact government, critical infrastructure, citizens, and public servants working in the departments tied to myGov – as well as citizens accessing government services online. In November the Australian Government also released an update to the Maturity Model for the Essential Eight, in which phishing-resistant MFA is among the eight mitigation strategies.
Yubico applauds these efforts by the Australian government towards prioritising phishing-resistance and significantly raising the security bar for the country and its citizens. Following these announcements, we can expect more aggressive moves in the coming months led by the federal government to adopt passkeys as phishing-resistant MFA.
Impact of recent Australian government cybersecurity legislation
The updated Essential 8 framework includes MFA requirements which have been bolstered to require the use of phishing-resistant MFA by organisations at a lower maturity level. Previously required at Maturity Level One, phishing-resistance is now required from Maturity Level One through Maturity Level Three (more information on maturity level guidance here). This framework, which is supported by the recently released Cyber Security Strategy, should be the guide organisations use to assess their cyber posture.
These updates were made in response to a few driving forces: increasing MFA adoption and implementation of international FIDO2/WebAuthn standards, the rise of attacks against weaker MFA implementations (i.e. those susceptible to real-time phishing attacks or social engineering attacks), and cyber policy changes being made by Australian Signals Directorate’s (ASD) international partners. MFA requirements have been bolstered to require the use of phishing-resistant MFA by organisations at a lower maturity level. This impacts Maturity Level Two.
Finally, a requirement has been added for users to authenticate to their workstations using a form of phishing-resistant MFA (e.g. Smart Cards and security keys). This change impacts Maturity Level Two and Maturity Level Three.
Overall, these changes are welcome and raise the bar for organisations to adopt modern phishing-resistant MFA at scale, and represent a significant shift in the Australian market towards adoption of passkeys. We look forward to additional measures by the Australian government in the coming years to keep their citizens more secure from increasing cyber attacks like phishing.
Moves towards phishing-resistance globally
The proposed uplift in cyber security posture across Australian government, business and consumers is an extremely positive step for the country, but also reflects similar moves we’re seeing unfold in other countries around the world.
The U.S. government has been emphasising the importance of using only phishing-resistant MFA for over the past few years. Following the White House Executive Order 14028 focused on the public sector and all companies that work with federal agencies, in early 2022 the OMB Memo M-22-09 issued guidance on implementing phishing-resistant MFA as part of deploying Zero Trust Architecture and software supply chain security. Then, in early 2023 the government announced a National Cybersecurity Strategy which aims to shift responsibility of cybersecurity burden from individuals to “organisations that are most capable and best-positioned to reduce risks for all of us.”
Meanwhile, we’ve seen big steps throughout Europe in the form of the recent NIS2 Directive – a new piece of European Union (EU)-wide legislation aimed at improving the region’s cybersecurity.
Recently, we also saw the EU take a big step with a revision of the EU common identity framework regulation – also known as eIDAS 2.0 – in which EU Member States will all soon implement a new common structure for electronic credentials based on digital identity wallets, including support for FIDO-based authentication. Over 250 private companies and government authorities across 25 EU Member States and Norway, Iceland, and Ukraine are participating in four large scale pilots to develop the underlying technology and test real-life use cases across the EU.
