🛡️ Essential 8 Guide

Multi-factor authentication used for authenticating users of online services is phishing-resistant.

Summary

This control mandates a Conditional Access policy named ‘USR - G - Require strong auth’ that is targeted to users as required and enforces multifactor authentication with phishing-resistant authentication strength to protect access to cloud resources. It specifies that only strictly phishing-resistant methods like FIDO2 security keys or Windows Hello for Business are considered phishing-resistant, while the Microsoft Authenticator app is not technically phishing-resistant but provides resistance to phishing; best judgement should be used when selecting authentication strength.¹²³

Justification

Conventional MFA methods (TOTP codes via SMS or authenticator app, push notifications) are vulnerable to real-time phishing attacks using adversary-in-the-middle (AiTM) proxies such as Evilginx2, Modlishka, and Muraena. These tools relay authentication sessions transparently, capturing session cookies even after MFA completion — bypassing MFA entirely without stealing credentials.

Phishing-resistant MFA methods (FIDO2 security keys, Windows Hello for Business, Certificate-Based Authentication) bind the authentication assertion cryptographically to the specific origin (relying party ID / domain). An AiTM proxy operating on a lookalike domain receives an authentication assertion that is cryptographically invalid for the legitimate service — the authentication fails at the server side even if the user is deceived.

The ACSC Essential Eight Maturity Level 3 explicitly requires phishing-resistant MFA for all users of online services. The Microsoft Authenticator number matching and additional context features improve resistance to MFA fatigue attacks but do not meet the phishing-resistant threshold — they can still be bypassed by sophisticated AiTM attacks.

The Conditional Access authentication strength Phishing-resistant MFA (built-in) enforces this policy in Entra ID — requests that do not satisfy a phishing-resistant method result in a block (CA error 53003) rather than fallback to a weaker method.

Design Decision

[!NOTE] The USR - G - Require strong auth policy will be deployed via Conditional Access to require phishing-resistant MFA for users as required, and it will acknowledge that phishing-resistant MFA methods may not always be possible and that only FIDO2 security keys or Windows Hello for Business are strictly phishing-resistant while the Microsoft Authenticator app is not strictly phishing-resistant but is resistant to phishing.

Prerequisites

• Permissions/Roles
  • Access to the Microsoft Entra admin center with permissions to configure authentication methods and to create and manage Conditional Access policies. Typical roles include Global Administrator and Security Administrator²
• Dependencies
  • A Microsoft Entra ID tenant to enable and enforce phishing-resistant authentication via authentication strengths and Conditional Access policies, including phishing-resistant options such as Windows Hello for Business, Passkeys (FIDO2), and Certificate-Based Authentication³
  • A plan to enforce phishing-resistant credentials based on user/device pairs as described in enforcement guidance¹
  • If deploying via device management tooling, access to Intune for deploying passwordless methods such as Windows Hello for Business (when using Intune-based deployment)²

Implementation Steps

USR - G - Require strong auth

1. Identify admin roles and create Entra ID groups to roll out enforcement gradually.

   • Create groups to support staged deployment (e.g., admins first, then broader user cohorts) and plan mapping to enforcement waves.¹

2. Define authentication strengths for enforcement

   • Use phishing-resistant MFA strength as the baseline for privileged access sign-ins.[^4]³

   • Refer to built-in authentication strengths to select appropriate methods (e.g., phishing-resistant options such as hardware-backed keys, device-bound credentials, or certificate-based methods).[^5]

3. Create Conditional Access policy for administrators

   • Policy name: Admin Phishing-Resistant MFA (target: administrator roles).
   • Require: Phishing-resistant authentication strength for access to admin portals and admin apps.
   • Lift or adjust the policy based on risk signals and remediation guidance.³

4. Create Conditional Access policy for standard users

   • Policy targets: all users except administrators.
   • Require: Passwordless MFA strength for standard cloud app access where feasible; fallback to MFA strength as needed for legacy scenarios.[^6]³

5. Include legacy app handling and external user considerations

   • For legacy apps, enforce multifactor authentication strength as a fallback path to reduce risk where phishing-resistant methods are not supported.
   • Apply external user guidance as applicable (cross-tenant scenarios).[^4]³

6. Monitor Conditional Access sign-in logs for policy CA block 53003 (authentication strength not satisfied) to identify users who are unable to satisfy phishing-resistant MFA requirements and need device or credential remediation.²

Additional related information

• Guidance on implementing phishing-resistant MFA for desktops, servers and data repositories, including legacy apps Phishing resistant multifactor authentication for access to desktops, servers, and data repositories
• MFA requirements and cross-tenant enforcement guidance per memorandum 22-09 Meet multifactor authentication requirements of memorandum 22-09
• Essential Eight MFA policy configuration and authentication strength guidance in Entra ID Configure Essential Eight MFA conditional access policies
• Achieving ACSC Essential Eight MFA Maturity Level 3 with Entra ID controls and hardware-backed authentication Achieve ACSC Essential Eight MFA Maturity Level 3 with Microsoft Entra
• Achieving ACSC Essential Eight MFA Maturity Level 2 with Entra ID controls and device-bound methods Achieve ACSC Essential Eight MFA Maturity Level 2 with Microsoft Entra
• CISA Zero Trust Maturity Model guidance for identity and MFA implementation CISA Zero Trust Maturity Model for the identity pillar