Passwords are broken. Not because the concept is flawed, but because human behaviour is predictable. People reuse passwords. They choose simple ones. They store them insecurely. And attackers know this — which is why credential stuffing, password spraying, and phishing for passwords remain some of the most effective attack techniques in existence. Multi-factor authentication (MFA) and passwordless technologies are the industry's response.

Australia's Essential Eight framework places MFA at Maturity Level One — the baseline — for all organisations. Yet surveys consistently show that a significant proportion of Australian businesses have not fully deployed MFA even for their most sensitive systems. Understanding why MFA matters, how different methods compare, and where passwordless authentication is heading is essential for anyone working in or studying cybersecurity.

99.9%
of account compromise attacks are blocked by MFA according to Microsoft research
80%
of breaches involve weak, default, or stolen passwords as the initial access vector
15B
stolen credentials available on dark web markets ready for credential stuffing
AdvertisementGoogle AdSense

How MFA Works — and Why It Matters

Multi-factor authentication requires a user to present two or more independent verification factors before being granted access. These factors fall into three categories: something you know (a password or PIN), something you have (a phone, hardware token, or smart card), and something you are (a fingerprint, face, or iris scan).

When an attacker steals a password through phishing or a data breach, MFA stops them from using it — because they do not have access to the second factor. Even if the password is compromised, the account remains protected. This is why MFA is consistently described as the single most impactful security control available for the cost and effort involved.

"Deploying MFA is the cybersecurity equivalent of putting a deadbolt on a door that previously relied on a flimsy latch. It is not perfect, but it raises the cost of attack dramatically."

Not All MFA Is Created Equal

MFA implementations vary significantly in their strength. Some methods are easily bypassed by sophisticated attackers — others are considered phishing-resistant even against nation-state level adversaries.

⚠ Weaker MFA Methods

SMS OTP: One-time codes sent via text message. Vulnerable to SIM-swapping attacks where attackers convince mobile carriers to transfer a victim's number. Also vulnerable to SS7 protocol attacks.

Email OTP: Codes sent to email. If the email account is compromised, MFA provides no protection.

Time-based TOTP apps (basic): Authenticator apps like Google Authenticator. Better than SMS, but still vulnerable to real-time phishing — attackers can proxy the OTP in a man-in-the-middle attack.

✓ Stronger MFA Methods

FIDO2/WebAuthn hardware keys: Physical security keys (YubiKey, etc.) that use public-key cryptography. Phishing-resistant by design — the key only responds to the legitimate website it was registered with.

Passkeys: Device-bound credentials using biometrics. The emerging standard for passwordless — supported by Apple, Google, Microsoft. Phishing-resistant and highly usable.

Certificate-based authentication: Smart cards and certificate-based auth used heavily in government and defence. Extremely strong but complex to deploy.

Security key and authentication device
Hardware security keys implementing FIDO2 provide phishing-resistant authentication — the highest standard available today
AdvertisementIn-Article · Google AdSense

The Passwordless Future: Passkeys and FIDO2

Passwordless authentication eliminates the password entirely — replacing it with a cryptographic credential that is bound to a specific device and verified with biometrics (fingerprint or face) or a PIN. The credential itself never leaves the device, so there is nothing to phish, steal from a database, or crack.

Passkeys — the consumer-friendly implementation of FIDO2 — are now supported across iOS, Android, Windows, macOS, and major browsers. Services including Google, Apple, Microsoft, PayPal, and GitHub support passkey login. Adoption is accelerating rapidly and passwordless is increasingly the default for new systems.

MFA Under Australia's Essential Eight

The Essential Eight Maturity Model categorises MFA requirements across three levels. At Maturity Level One, MFA is required for internet-facing services such as VPNs, email, and cloud applications. At Maturity Level Two, MFA must use phishing-resistant methods for privileged access. At Maturity Level Three, phishing-resistant MFA is required for all users across all systems.

Australian government agencies are required to achieve at least Maturity Level Two by government mandate. Private sector organisations in regulated industries face similar expectations from their regulators. Understanding the Essential Eight MFA requirements is essential for any cybersecurity professional working in Australia.

✓ MFA Deployment Priority Order
  • Privileged accounts first: Admin, IT, finance, and C-suite accounts are the highest-value targets — deploy strong MFA here before anywhere else
  • Internet-facing services: VPN, email, Microsoft 365/Google Workspace, remote desktop, and cloud console access
  • All staff accounts: Extend MFA to every user account in the organisation, prioritising by data access level
  • Replace SMS with authenticator apps: Migrate away from SMS-based OTP to TOTP apps as a minimum improvement
  • Deploy phishing-resistant MFA: Implement FIDO2/hardware keys for privileged access to achieve Essential Eight Maturity Level Two
  • Plan for passkeys: Begin evaluating passkey support in your identity providers and user-facing applications for the passwordless transition
MFAPasswordlessFIDO2PasskeysEssential EightIdentity SecurityAustralia
S
SISTMR Editorial Team
Cybersecurity Researchers · SISTMR Australia

Our certified professionals produce practical, expert-reviewed cybersecurity content for students and practitioners across Australia.