Phishing-Resistant MFA: What It Means and Why Essential Eight ML2 Demands It
SMS codes and authenticator apps no longer meet Essential Eight Maturity Level 2. Here's what phishing-resistant MFA actually is, which methods qualify, and how to roll it out with FIDO2 security keys, Windows Hello for Business, or passkeys.
Your MFA is on. Every account has it. You checked the box on the insurer's questionnaire. So why is your assessor telling you it doesn't meet Maturity Level 2?
Because the rules changed. In November 2023, the ASD updated the Essential Eight maturity model and rewrote the MFA requirements. The big shift: ML2 now requires phishing-resistant MFA. Not "any MFA." Not authenticator apps. Not push notifications. Phishing-resistant specifically.
For most Australian businesses, this is the single most disruptive change in the entire update. The MFA you deployed two years ago probably doesn't qualify anymore.
Here's what changed, what counts, and how to fix it.
What "Phishing-Resistant" Actually Means
Start with the problem it solves.
Traditional MFA methods (SMS codes, TOTP apps, push notifications) all share the same weakness. They rely on the user sending a secret over the network. A code, a tap, an approval. If an attacker can trick the user into entering that secret on a fake site, the attacker gets in.
This is called an adversary-in-the-middle attack. It works like this:
How an Adversary-in-the-Middle Attack Bypasses MFA
The attacker sits between the user and the real login page, relaying everything in real time. The user thinks they're logging into the real site. The attacker captures the session token after MFA completes. MFA was never bypassed. It was completed, just not by the right person.
Phishing-resistant MFA stops this. It uses cryptographic proof that's bound to the real website's domain. The authentication can't be relayed through a proxy because the security key or device checks the domain it's talking to. A fake site gets nothing usable, even if the user clicks the phishing link.
That's the difference. Traditional MFA protects against stolen passwords. Phishing-resistant MFA protects against stolen passwords and real-time phishing attacks.
What Counts as Phishing-Resistant (and What Doesn't)
The ASD's wording is straightforward: "Multi-factor authentication used for authenticating users of systems is phishing-resistant." But they don't list specific products. So here's how it maps to real-world options.
Methods That ARE Phishing-Resistant
FIDO2 security keys. Physical hardware tokens (YubiKey, Feitian, Token2) that use public key cryptography. The private key never leaves the device. Authentication is bound to the domain, so phishing proxies can't intercept it. This is the gold standard.
Windows Hello for Business. Uses the TPM chip built into your laptop or desktop for cryptographic authentication. Biometric (face or fingerprint) or PIN, backed by hardware-bound keys. Free if your devices have TPM 2.0. Requires Intune for deployment.
Passkeys (device-bound). The consumer-friendly evolution of FIDO2. Same cryptographic foundation. Supported by Entra ID as of 2024. Device-bound passkeys (stored in the device's TPM or secure element) are phishing-resistant. Synced passkeys (backed up to iCloud or Google) are still debated for enterprise use.
Certificate-based authentication (smart cards). The oldest phishing-resistant method. Common in government and defence. Higher management overhead than FIDO2.
Methods That Are NOT Phishing-Resistant
SMS codes. Not phishing-resistant. Also no longer meets ML1 (SMS doesn't satisfy the "something you have" requirement since SIMs can be swapped and ported).
Voice calls. Same problem as SMS. Interceptable. Not phishing-resistant.
TOTP authenticator apps. The six-digit codes from apps like Authenticator or Google Authenticator. These meet ML1 but not ML2. The code can be entered on a phishing proxy just like a password.
Push notifications (even with number matching). This is the one that catches people. Number matching adds friction, but it doesn't add cryptographic domain binding. The user can still approve a push on a proxy site. Meets ML1. Does not meet ML2.
This is the most common misconception. Many businesses deployed number matching in 2023-2024 thinking it was phishing-resistant. It's a meaningful improvement over basic push (it stops fatigue attacks), but it doesn't cryptographically bind to the domain. Under Essential Eight ML2, it doesn't qualify.
MFA Methods Compared
MFA Methods: What Meets Which Maturity Level
| Feature | Phishing-Resistant (ML2+) | Non-Resistant (ML1 max) |
|---|---|---|
| FIDO2 security key (YubiKey, etc.) | Yes. Gold standard. | |
| Windows Hello for Business | Yes. Free with TPM 2.0 hardware. | |
| Device-bound passkeys | Yes. Emerging option in Entra ID. | |
| Smart cards / CBA | Yes. Government/defence standard. | |
| Authenticator app (TOTP) | ML1 only. Code can be phished. | |
| Push notification (no number match) | ML1 only. Vulnerable to fatigue attacks. | |
| Push notification (with number match) | ML1 only. Better, but not cryptographically bound. | |
| SMS / voice call | Does not meet any maturity level. |
Essential Eight MFA Requirements by Maturity Level
The November 2023 update restructured MFA requirements across all three levels. Here's what each requires.
Maturity Level 1: MFA must use "something users have" and "something users know" (or something users have unlocked by something they know or are). Authenticator apps, TOTP, and push notifications with number matching all qualify. SMS does not. The emphasis is on having real two-factor authentication, not just a password plus a security question.
Maturity Level 2: MFA must be phishing-resistant. Full stop. That means FIDO2 security keys, Windows Hello for Business, passkeys, or certificate-based authentication. Users must also authenticate to their workstations using phishing-resistant MFA. All successful and unsuccessful MFA events must be centrally logged.
Maturity Level 3: Same phishing-resistant requirement as ML2, but universally enforced with no exceptions. Includes verification that MFA can't be bypassed through legacy protocols or fallback methods.
The jump from ML1 to ML2 is the biggest shift. It's not just "better MFA." It's a fundamentally different technology.
For a full breakdown of all eight controls across maturity levels, see the Essential Eight Maturity Levels guide.
How to Roll It Out
The good news: if you're running Entra ID (which most Australian M365 businesses are), the tooling exists. The challenge is planning and sequencing.
Phishing-Resistant MFA Rollout
Key Implementation Details
Conditional Access authentication strengths. Entra ID has a built-in "Phishing-resistant MFA" authentication strength policy. You don't need to build a custom one. Create a Conditional Access policy, set the grant control to "Require authentication strength," and select the phishing-resistant option. This blocks any non-qualifying MFA method.
Start with privileged accounts. Admin accounts are the highest-risk target. Roll out phishing-resistant MFA to global admins, security admins, and any account with elevated privileges first. This is also an explicit ML2 requirement for restricting administrative privileges.
Windows Hello for Business via Intune. If your devices have TPM 2.0 (most hardware from 2018 onwards does), you can deploy Windows Hello for Business through Intune policies at no extra hardware cost. Users enrol with a biometric or PIN backed by the TPM. Check your fleet with the Get-Tpm PowerShell command.
FIDO2 security keys for shared devices and remote workers. Windows Hello is device-bound, which means it only works on the enrolled device. For shared workstations, kiosks, or staff who move between devices, FIDO2 security keys are the better option. Order two keys per user (one primary, one backup stored securely).
Break-glass accounts. Always exclude at least one emergency access account from your Conditional Access policy. If every admin gets locked out because keys are lost or Windows Hello fails, you need a way back in. Store the break-glass credentials in a physical safe, not a password manager that requires the MFA you just locked everyone out of.
The Cost Breakdown
Cost of Phishing-Resistant MFA (50-Person Business)
| Feature | Windows Hello for Business | FIDO2 Security Keys |
|---|---|---|
| Hardware cost | $0 (if TPM 2.0 present) | $5,000-$10,000 (2 keys per user at $50-$100 each) |
| Entra ID licence required | P1 (included in Business Premium) | P1 (included in Business Premium) |
| Intune required | Yes (included in Business Premium) | No (but recommended for policy management) |
| Works on shared devices | No (device-bound) | Yes |
| Works for remote staff | Only on enrolled device | Yes, any device with USB or NFC |
| User training effort | Low (familiar biometric flow) | Medium (new physical token workflow) |
| Backup/recovery plan | Temporary Access Pass or backup key | Second registered key per user |
Security key pricing in Australia: A YubiKey 5 NFC (USB-A + NFC) runs about $90-$100 AUD from local retailers like Scorptec or Trust Panda. The YubiKey 5C NFC (USB-C + NFC) is slightly more. Budget two keys per person: one to carry, one stored as backup.
The cheapest path: For a business where everyone has their own laptop with TPM 2.0, Windows Hello for Business is effectively free. You're already paying for Business Premium (which includes Entra ID P1 and Intune). The only cost is the IT time to configure and deploy it.
The practical path for most: A mix. Windows Hello for staff on assigned devices. FIDO2 keys for admins, shared devices, and anyone who works across multiple machines.
Common Mistakes
Thinking Authenticator app push is phishing-resistant
The most widespread mistake. Many businesses deployed Authenticator with number matching in 2023-2024 and assumed they met ML2. Number matching is better than basic push, but it doesn't satisfy the phishing-resistant requirement. You need to either add FIDO2 keys or Windows Hello on top of what you have.
Starting with regular users instead of admins
Admins should be the first group on phishing-resistant MFA, not the last. They have the most access and are the highest-value target. The ML2 requirement for restricting administrative privileges explicitly calls for stronger authentication on privileged accounts.
No fallback plan
What happens when someone loses their security key? Or their laptop TPM fails? Without a backup method or process, you're choosing between security and productivity. Register two FIDO2 keys per user. Configure Temporary Access Pass in Entra ID as a time-limited recovery method. Document the process before you need it.
Forgetting workstation sign-in
ML2 doesn't just require phishing-resistant MFA for cloud services. It also requires phishing-resistant MFA for authenticating to workstations. Windows Hello for Business covers this natively. If you're using FIDO2 keys for cloud apps but still signing into Windows with a password, you have a gap.
Not logging MFA events
ML2 requires all successful and unsuccessful MFA events to be centrally logged and protected from modification. If you're enforcing phishing-resistant MFA but not collecting the logs, you're not compliant. Entra ID sign-in logs cover this, but they need to be exported to a central log store (Log Analytics or a SIEM).
The Insurance Angle
Cyber insurers don't use the term "Essential Eight" on their questionnaires (usually). But they're asking the same questions.
"Do you require multi-factor authentication for all remote access?" Yes. "Is your MFA resistant to phishing attacks?" This is the question that trips people up. If you're using push notifications, the honest answer is no.
Insurers who scan your environment before quoting will see your Entra ID configuration. If Conditional Access allows non-phishing-resistant methods, that shows up. If you claimed phishing-resistant MFA on the application and your environment says otherwise, that's a problem at claims time.
Getting phishing-resistant MFA right doesn't just tick the Essential Eight box. It directly strengthens your insurance posture. For more on how Essential Eight maps to cyber insurance requirements, see the full insurance guide.
Do You Need Phishing-Resistant MFA Right Now?
Are you targeting Essential Eight Maturity Level 2?
Where to Start
Three things you can do this week:
-
Check your current MFA methods. Pull the Entra ID sign-in logs and look at what authentication methods are actually being used. You might be surprised how many accounts are still on SMS or basic push.
-
Check your hardware. Run
Get-Tpmon a sample of devices. If TPM 2.0 is present (it will be on most hardware from 2018+), Windows Hello for Business is your lowest-cost path to compliance. -
Start with admins. Even before you roll out to all users, get your admin accounts on FIDO2 keys or Windows Hello. This covers the highest-risk accounts first and gives your IT team hands-on experience before the wider rollout.
For a broader view of where your organisation sits across all eight controls, the Essential Eight overview covers the full framework.
The Innitor compliance scorecard includes MFA questions mapped to Essential Eight maturity levels. Five minutes, no email required. If you're relying on SMS or push notifications and aiming for ML2, the scorecard will flag it.
Get posts like this in your inbox
Practical takes on engineering, compliance, and building products that work. No spam, unsubscribe anytime.
Robbie Cronin
Fractional CTO helping non-technical founders make better technical decisions. Based in Melbourne.
More about RobbieRelated articles
Patch Management for Essential Eight: Timelines, Tools, and What Auditors Actually Check
The Essential Eight patching requirements are aggressive by design. 48 hours for critical vulnerabilities. Two weeks for internet-facing apps. Here's how to actually meet them, which tools work, and where most Australian businesses fail.
essential-eightWDAC for Essential Eight: The Application Control Guide Nobody Wanted to Write
Windows Defender Application Control is the hardest Essential Eight strategy to implement. What WDAC is, how it differs from AppLocker, what each maturity level requires, and how to avoid bricking your fleet.
cyber-insuranceYour Cyber Insurer Is Already Asking About Essential Eight. Here's What That Means.
Australian cyber insurers are rejecting 40% of claims. Most rejections come down to missing controls that Essential Eight covers. What they're checking, what it costs you, and how to fix it before renewal.