Multi-factor authentication is the most impactful single control in the Essential Eight. It is also the control where the gap between "we have MFA" and "we actually meet the maturity level" is most often misunderstood.
Maturity Level One
MFA is required for users accessing internet-facing services that process, store, or communicate sensitive data. This includes webmail, cloud storage, remote access, and financial systems. Standard MFA — authenticator app, SMS, or hardware token — satisfies Level One.
Maturity Level Two
MFA is required for all users accessing all internet-facing services, not just those handling sensitive data. Privileged users must use phishing-resistant MFA. The distinction matters: SMS and email-based MFA are not phishing-resistant because they can be intercepted through SIM swapping or real-time phishing attacks.
Maturity Level Three
All users — not just privileged accounts — must use phishing-resistant MFA. FIDO2 hardware keys or Windows Hello for Business are the most common implementations. This eliminates the credential phishing risk entirely for covered access points.
What Phishing-Resistant MFA Means
Standard TOTP codes (the six-digit numbers from an authenticator app) can be phished. An attacker creates a fake login page, captures the code entered by the victim, and uses it in real time before it expires. Phishing-resistant MFA uses cryptographic binding between the authentication factor and the specific website — a key generated for one domain cannot be used on another.
Implementation in Microsoft 365
Microsoft supports FIDO2 security keys, Windows Hello for Business, and certificate-based authentication — all of which meet the phishing-resistant requirement. Number matching and additional context in the Microsoft Authenticator app raise the bar but do not technically meet the phishing-resistant threshold at higher maturity levels.
Does SMS MFA meet Essential Eight requirements?
SMS MFA satisfies Maturity Level One for standard users. It does not satisfy Maturity Level Two requirements for privileged users and does not meet Maturity Level Three for any users. The ASD explicitly rates SMS as a lower-assurance method and recommends moving away from it for any sensitive access.
