If you are an IT Manager in Australia relying on SMS text messages or basic authenticator apps to protect your network, you are sitting on a compliance time bomb.
Under the Australian Signals Directorate’s (ASD) latest Essential Eight framework, Mitigation Strategy #4 (Multi-Factor Authentication) has undergone a massive shift. The government has officially recognized what hackers have known for years: standard MFA is easily bypassed.
To achieve Maturity Level 2 or 3, you can no longer rely on SMS codes or simple “Tap to Approve” push notifications. You must implement Phishing-Resistant MFA.
This mandate has sent Australian businesses scrambling to upgrade their identity architecture. Here is the brutally honest breakdown of the top 7 phishing-resistant MFA platforms that will guarantee your compliance without driving your employees crazy.
(Note: Identity protection is only one part of the Zero Trust puzzle. Ensure you also lock down your endpoints by checking out our guide on the Top 7 Application Control Software for Essential Eight Compliance).
What Makes MFA “Phishing-Resistant”? (The NIST Standard)
Before buying software, you need to understand the technical definition. The ACSC bases its definition of “Phishing-Resistant” on the strict global NIST 800-63B guidelines.
Older MFA methods are vulnerable to Adversary-in-the-Middle (AitM) Phishing: A hacker sends a fake Microsoft 365 login page. The employee types in their password and the 6-digit authenticator code they just generated. The fake site instantly passes that code to the real Microsoft site, logging the hacker in.
Phishing-Resistant MFA solves this by using cryptography (like FIDO2/WebAuthn standards). It mathematically proves that the user is logging into the real application’s URL, not a fake proxy site. If the URL doesn’t match exactly, the cryptographic token refuses to authenticate, making AiTM attacks impossible.
Essential Eight MFA Strategy Simulator
Recommended Platform
Estimated Annual Cost
ACSC Maturity Level Mapping: What Do You Actually Need?
Google your current MFA posture against the ACSC’s strict requirements. Here is exactly what the framework demands based on your target Maturity Level:
| ACSC Maturity Level | MFA Requirement | What Qualifies? |
| Level 1 | Standard MFA for users accessing internet-facing services. | Authenticator Apps (TOTP), SMS (not recommended but allowed at Level 1). |
| Level 2 | Phishing-Resistant MFA used to authenticate all privileged users (Admins) and remote access. | FIDO2 Security Keys, Windows Hello for Business, Smart Cards. |
| Level 3 | Phishing-Resistant MFA used to authenticate all users (Standard and Admin) across all services. | FIDO2 Security Keys, Windows Hello for Business, strict Number-Matching push. |
At a Glance: Top 7 Phishing-Resistant MFA Tools
| Platform | Best For… | Standout Feature | Deployment |
| Microsoft Entra ID | Microsoft 365 shops | Windows Hello for Business & FIDO2 | Cloud |
| Cisco Duo | Hybrid/Diverse networks | Verified Push (Number Matching) | Cloud |
| YubiKey (Yubico) | Absolute maximum security | Hardware-based FIDO2 cryptography | Hardware |
| Okta Identity Cloud | Massive enterprise SSO | Deep HR Integration & WebAuthn | Cloud |
| Ping Identity | Government & Federal | Advanced identity orchestration | Cloud/Hybrid |
| Silverfort | Legacy / SCADA systems | Agentless, network-level MFA | Network |
| UserLock | On-Premise Servers | FIDO2 tokens for Active Directory | On-Premise |
1. Microsoft Entra ID (Formerly Azure AD)
Best For: Organizations already deeply embedded in the Microsoft 365 ecosystem.
- How to Use It: Implementation typically begins with the Entra ID Admin Center. You must first enable Combined Security Information Registration. Then, create a Conditional Access Policy that targets “All Users” or specific “Privileged Groups.” Under “Grant Controls,” you select “Require Phishing-Resistant MFA.” To satisfy the ACSC, you then configure Windows Hello for Business via Group Policy or Intune, ensuring the “Use TPM” setting is enforced so the biometric key is hardware-bound.
- Pros: Seamless integration with Windows 10/11; no third-party agents required for basic Office 365 protection; robust “Identity Protection” that flags “risky sign-ins.”
- Cons: Extremely complex licensing (Entra ID P1 vs. P2); “Conditional Access” is only available on paid tiers; Microsoft’s own MFA services have suffered from global outages in the past.
- Pricing (AUD): Included in Microsoft 365 Business Premium (~$31.70/user/month). Standalone Entra ID P1 is approx. ~$8.20/user/month.
2. Cisco Duo
Best For: Diverse, “messy” environments with a mix of cloud apps and on-premise hardware.
- How to Use It: You install the Duo Authentication Proxy on a local server if you are protecting on-prem assets like a VPN or RDP. For cloud apps, you use Duo Central to configure SAML integrations. The key “how-to” for compliance is enabling Verified Push. In the Duo Admin Panel, under “Policy,” you toggle “MFA. Number Matching” to Required. This forces the user to type a code shown on the login screen into their phone.
- Pros: The most user-friendly mobile app on the market; supports “Duo Desktop” to check device health (e.g., “Is this laptop’s firewall turned on?”) before allowing a login.
- Cons: Can get expensive as you move to the “Premier” tier for advanced features; requires a smartphone for the best experience (which can be a hurdle for some unionized workforces).
- Pricing (AUD): Duo Essentials starts at ~$4.50/user/month; the “Advantage” tier (required for most compliance) is ~$9.00/user/month.
3. YubiKey (by Yubico)
Best For: High-privilege accounts (Admins, C-Suite) where the risk of a breach is catastrophic.
- How to Use It: As a hardware-based solution, the “use” is physical. An admin registers the key to the user’s account (e.g., in their Microsoft or Google security settings). When logging in, the user enters their password and is prompted to “Insert Security Key.” They plug the USB-A/C or Lightning key into their device and touch the gold contact. The key performs a cryptographic handshake with the server based on the FIDO2/WebAuthn protocol.
- Pros: Immune to remote attacks (the hacker doesn’t have the physical key); no batteries or cellular signal required; extremely durable (waterproof and crush-resistant).
- Cons: High upfront hardware cost; logistics of shipping physical keys to remote workers; users will lose them, requiring a strict “Backup Key” policy.
- Pricing (AUD): One-time cost of ~$85 – $110 per key. YubiEnterprise Subscription models are available for large fleets to lower the upfront CAPEX.
4. Okta Identity Cloud
Best For: Massive enterprises requiring deep automation and Single Sign-On (SSO).
- How to Use It: Okta acts as the “Front Door” to your business. You sync your Active Directory or HR system (like Workday) to Okta. To meet Essential Eight Level 3, you configure Okta FastPass. This uses a local agent on the computer to verify the device’s identity and uses biometrics (TouchID/FaceID) to grant access without the user ever typing a 6-digit code.
- Pros: Best-in-class SSO experience; powerful “Lifecycle Management” (automatically disables access the second an employee is fired in HR); massive library of 7,000+ pre-built integrations.
- Cons: High price point; aggressive sales tactics; recent high-profile security breaches at Okta itself have caused some trust issues in the IT community.
- Pricing (AUD): Adaptive MFA is roughly ~$9.00/user/month, but usually bundled with SSO, bringing the total closer to ~$15.00+/user/month.
5. Ping Identity
Best For: Government departments and organizations with complex “Identity Orchestration” needs.
- How to Use It: Ping is unique because of PingOne DaVinci, a “drag-and-drop” workflow builder. You can map out a login journey: “If the user is at home, require FIDO2. If they are in the Sydney Office, allow Windows Hello. If the risk score is high, block access.” This allow-list/deny-list logic is highly auditable for government regulators.
- Pros: Incredibly flexible; offers “PingData” for highly secure, sovereign data storage in Australia; perfect for federating multiple business units.
- Cons: Very high learning curve; requires dedicated identity engineers to manage the complex workflows.
- Pricing (AUD): Custom enterprise pricing only; generally starts in the ~$12.00 – $18.00/user/month range for full suites.
6. Silverfort
Best For: Critical infrastructure, legacy manufacturing, and SCADA systems.
- How to Use It: Silverfort is Agentless. You don’t install anything on the servers. Instead, it connects to your Domain Controllers. When a user tries to use a legacy protocol like NTLM or Kerberos (which don’t natively support MFA), Silverfort intercepts the request at the network layer and triggers an MFA prompt on the user’s mobile app.
- Pros: The only way to put MFA on old legacy systems or command-line tools without rewriting code; prevents “Lateral Movement” by hackers.
- Cons: Network-level dependency; if your Domain Controllers are down, the MFA system can become a bottleneck; requires a high level of network visibility.
- Pricing (AUD): Quoted per user/entity; typically higher than cloud-only MFA due to the unique “Agentless” technology.
7. UserLock
Best For: Australian SMEs who want to keep their servers on-site and avoid the “Cloud Tax.”
- How to Use It: You install the UserLock Console on your local Windows Server. It pushes a “Desktop Agent” to all workstations. You can then set Contextual Access Rules (e.g., “User X can only log in from 9 AM to 5 PM from the Melbourne Office IP”). To meet compliance, you pair it with YubiKeys or Token2 keys, enforcing FIDO2 authentication for every local and RDP logon.
- Pros: No recurring per-user “Cloud” fees; total control over your data; very fast to deploy for local AD environments.
- Cons: Limited protection for SaaS apps (Xero, Salesforce) compared to Okta or Duo; requires you to maintain the server infrastructure.
- Pricing (AUD): Perpetual or annual licensing. Approx ~$3,500 – $5,000 for a 100-user license (much cheaper over 3 years than cloud subs).
The Service Account Loophole: Securing Non-Human Logins
Here is the exact point where most IT managers fail their Essential Eight audits: Service Accounts.
You can buy YubiKeys for all 500 of your employees, but what about the automated backup script that logs into the server every night? You can’t prompt a piece of software to tap a physical USB key. Hackers know this, which is why they explicitly target service accounts.
To remain compliant at Maturity Level 2 and 3, you cannot leave service accounts protected by just a password. You must utilize strict Conditional Access Policies. Instead of standard MFA, you lock the service account down by IP address (e.g., “This backup account can only log in if the request originates from the IP address of the backup server in Sydney”). Modern identity platforms like Entra ID and Okta allow you to manage these non-human “Workload Identities” with the same rigorous Zero Trust architecture as your human employees.
Frequently Asked Questions (FAQ)
(Pro-Tip: Wrap this section in FAQ Schema in WordPress).
Does SMS count as MFA for the Essential Eight? No. SMS text messages and voice calls are no longer considered secure by the ACSC for higher maturity levels. They are highly vulnerable to SIM-swapping and AiTM attacks. To achieve Maturity Level 2 or 3, you must use phishing-resistant methods.
Can I use Google Authenticator for Maturity Level 2? While Time-based One-Time Password (TOTP) apps like Google Authenticator or Authy are better than SMS, they are not strictly phishing-resistant because a user can still be tricked into typing the 6-digit code into a fake website. The ACSC strongly recommends FIDO2 security keys, Windows Hello, or number-matching push notifications.
What is the difference between MFA and SSO? Single Sign-On (SSO) is a convenience feature that allows a user to log in once to a central portal (like Okta) and gain access to dozens of different applications without re-entering passwords. Multi-Factor Authentication (MFA) is the security mechanism (like a biometric scan or YubiKey) required to get into that central SSO portal in the first place.
