The Australian government has reiterated its commitment to strengthening digital security for individuals and businesses nationwide, aiming to establish itself as a global leader in cybersecurity by 2030. Key enhancements to cybersecurity measures have been introduced to achieve this objective.
One significant measure involves the transformation of myGov, an online platform providing access to government services, into a passwordless system. This initiative includes the implementation of a phishing-resistant multi-factor authentication (MFA) system, incorporating passkeys for secure account sign-ins.
The decision to move towards a passwordless system comes in response to previous security breaches resulting from stolen login credentials through phishing attacks, leading to approximately 4,500 successful intrusions and $3.1 billion in losses. As a preventive measure, thousands of myGov accounts were proactively suspended to mitigate further breaches.
In November, the government unveiled the Australian Cyber Security Strategy for 2023-2030, targeting improvements in government, critical infrastructure, public servant, and citizen cybersecurity. An update to the Maturity Model for the Essential Eight was also announced, with phishing-resistant MFA being one of the eight mitigation strategies.
Technology company Yubico has applauded these government-led initiatives, suggesting that more proactive measures, particularly the adoption of passkeys as a phishing-resistant MFA, are anticipated in the near future.
Recent cybersecurity legislation in Australia has also positively impacted the Essential Eight framework, strengthening MFA requirements. The use of phishing-resistant MFA is now mandated from Maturity Level One through to Level Three, representing a significant shift from its previous requirement only at Level One. The framework, aligned with the Cyber Security Strategy, serves as a guide for organizations to assess their cyber posture.
These updates have been influenced by various factors, including increased MFA adoption, the implementation of international FIDO2/WebAuthn standards, a rise in attacks against weaker MFA implementations, and adjustments to cyber policies by the Australian Signals Directorate’s global partners.
A new requirement now obligates users to authenticate workstations using a form of phishing-resistant MFA, affecting those at Maturity Level Two and Three. These changes set a higher standard for organizations to embrace modern phishing-resistant MFA on a larger scale. Further government measures are expected in the coming years to protect citizens against escalating cyber threats such as phishing.
The broader global trend towards prioritizing phishing-resistant MFA is evident, with the US government emphasizing its use in recent years. Similarly, the EU is taking significant steps to enhance cybersecurity through directives like the NIS2 Directive and revisions to the EU common identity framework regulation.