This article is the third in an eight-part series examining the Australian Cyber Security Centre’s Essential Eight — a baseline set of mitigation strategies recommended for all Australian organisations.
The first two Essential Eight strategies address vulnerabilities in software and operating systems — flaws in code that attackers can exploit. The third addresses a different problem entirely: what happens when credentials are stolen, guessed, or reused. Multi-factor Authentication (MFA) is the control that makes a compromised password insufficient on its own.
What the Strategy Requires
MFA requires that users verify their identity using at least two factors from different categories — something they know (a password), something they have (an authenticator app or hardware key), or something they are (a biometric). A password alone satisfies only one.
The ACSC’s guidance specifies that MFA should be applied to remote access services, cloud services, and privileged accounts as a minimum. At higher maturity levels, it extends to all users accessing organisational systems, with stronger authentication methods — phishing-resistant options such as FIDO2 hardware keys — required for the most sensitive accounts.
Critically, the ACSC now distinguishes between MFA methods. SMS-based codes, while better than no MFA, are considered weaker due to SIM-swapping vulnerabilities. Authenticator app-generated time-based one-time passwords (TOTP) are preferred. Hardware security keys represent the strongest available option and are recommended for privileged users and high-risk roles.
Why Credential Theft Alone Is Not Enough for an Attacker
Credential-based attacks — phishing, password spraying, credential stuffing from prior breaches — are among the most common initial access techniques observed in Australian incident data. They succeed because passwords are frequently reused, weak, or exposed through third-party breaches that organisations have no control over.
MFA breaks the attack chain at the authentication step. Even if an attacker obtains a valid username and password — through any means — they cannot proceed without the second factor. Microsoft’s own data indicates that MFA prevents more than 99% of automated credential attacks. That figure is not an aspiration; it is observed across billions of authentication events.
The 2021 Colonial Pipeline ransomware attack, which disrupted fuel supply across the eastern United States, originated through a VPN account with no MFA. One credential was sufficient for initial access. That access led to a network compromise significant enough to halt critical infrastructure operations.
Deployment Considerations for SMBs
MFA is among the most accessible controls in the Essential Eight. Businesses operating on Microsoft 365 or Google Workspace can enable MFA at no additional cost. Authenticator apps are free. For organisations requiring hardware keys — particularly for privileged accounts — the per-device cost is modest relative to the protection provided.
The more meaningful consideration for SMBs is coverage. Partial MFA deployment — protecting some accounts but not all — leaves gaps that attackers will find. Remote access points, email, cloud services, and any system accessible from outside the office network should be treated as mandatory scope, not optional extensions.
Deployment of MFA should be treated as a security decision, not an IT configuration task — which means it benefits from the same adversarial thinking applied to other security controls.
Credential Breach Monitoring: An Intelligence Layer Within MFA
A well-implemented MFA solution can extend beyond authentication configuration into active credential intelligence. Password managers and credential vault platforms that include breach monitoring — cross-referencing user credentials against databases of known compromised passwords and email addresses — provide a capability that sits at the intersection of MFA and threat intelligence.
Where a standard MFA deployment responds to a stolen credential by requiring a second factor, breach monitoring identifies that a credential has been exposed before an attacker attempts to use it. That proactive detection changes the response from reactive to anticipatory: accounts can be flagged, passwords rotated, and users notified before exploitation occurs.
This is a meaningful extension of the MFA control — one that transforms a purely structural authentication measure into an intelligence-informed one.
MFA in the Context of the Broader Stack
MFA does not prevent all attacks. A user who approves a fraudulent MFA prompt — a technique known as MFA fatigue or push bombing — can still be compromised. That risk is mitigated by phishing-resistant MFA methods and user awareness.
What MFA does is eliminate the most common, lowest-effort attack path: using stolen credentials directly. Combined with the patching controls established in the first two strategies, it closes two of the three most frequently exploited vectors in SMB incidents. And when MFA includes breach monitoring, it adds an active detection capability to what would otherwise be a passive control.
This series continues with Essential Eight #4: Restrict Administrative Privileges.
Further reading: ACSC Essential Eight, Luminol Cyber MFA
