Phishing‍-‍resistant MFA: elevating security standards in the public sector

Phishing remains a significant issue for government agencies, and current MFA solutions often fall short in addressing the threat.

In October 2024, the Australian Government introduced the Cyber Security Bill 2024¹, its first standalone Cyber Security Act. This legislation comes at a crucial time, as escalating cyberthreats, such as ransomware and phishing attacks, demand stronger protective measures. The ongoing nature of this issue is evident, with recent incidents showing Iranian hackers targeting Australian services² through push-bomb attacks, brute-force tactics, and password spraying.

The growing threat of phishing attacks

A report from the Office of the Australian Information Commissioner (OAIC)³ revealed that phishing and credential-harvesting attacks are among the most frequent threats faced by Australian government agencies and their services, such as myGov, Centrelink or the Australian Taxation Office.

Alongside these findings, user reviews of government services frequently appear online, with daily concerns about breached account and phishing attempts. In just the first quarter of 2024, an alarming 1.8 million user accounts across different apps and services were compromised in Australia. What might seem like a bad dream is an ongoing issue for everyday Australians trying to access government services.

As cyber attacks continue to intensify, government agencies remain prime targets, with phishing being a persistent and significant threat. This growing risk highlights the urgent need for stronger, phishing-resistant authentication methods, as phishing attempts are becoming increasingly sophisticated. AI-generated deepfakes posing as trusted individuals, and fake websites that are indistinguishable from legitimate ones are ubiquitous, yet security measures seem to barely keep pace. Even for those carefully trying to look out for these attacks, it’s almost impossible to avoid getting caught up in these schemes.

A solution to many of the phishing-related issues has been on the horizon for a while, and plenty of organisations are already adopting it: passkeys — a phishing-resistant, user-friendly authentication method based on public-key cryptography, developed by the FIDO Alliance.

This article explores why phishing remains such a critical problem for the public sector and discusses why phishing-resistant methods like passkeys are becoming essential to safeguarding sensitive data in the public sector.

Why the public sector is a prime target for cybercriminals

The vast amount of sensitive data held by the public sector — ranging from citizen records to financial and healthcare information — makes it an attractive target for cybercriminals. Phishing attacks, in particular, are commonly used to gain access to user credentials, which can then be exploited or sold on lucrative black markets due to their highly personal nature. The public sector is especially valuable because it stores detailed information that can be misused for identity theft, including real names, email addresses, payment details, health records, physical addresses and driver’s licence numbers, among other sensitive data.

Notably, in the first six months of 2024, the Australian government sector experienced the second-highest number of data breaches, after the health sector.³ High-profile incidents, such as the Service NSW breach⁴ in 2020, resulted in unauthorised access to approximately 5 million documents, 10% of which contained sensitive personal data, relating to up to 186,000 individuals. This breach occurred after cybercriminals successfully compromised 47 staff email accounts through a series of phishing attacks.

A typical phishing attack might involve a fraudulent email, for example, purporting to be from Service NSW, luring users to a fake Service NSW login page. Once their credentials are stolen, these are quickly sold on dark web marketplaces, leading to compromised bank accounts and identity theft. Most of the time, citizens have limited options regarding which government agencies they share their personal information with, as they depend on the online services these agencies provide. A breach at even one of these agencies could be disastrous, putting every citizen at risk. This scenario plays out daily across Australia — but solutions like passkeys, which prevent users from entering credentials on fake websites, are starting to make a real difference.

Limitations of traditional MFA solutions

While multi-factor authentication (MFA) has become a good practice for securing accounts and avoiding phishing traps, not all MFA methods offer the same level of protection. Solutions like SMS-based MFA, though an improvement over password-only authentication, are still vulnerable to sophisticated attacks such as SIM-swapping and man-in-the-middle breaches.

As governments continue to digitise services — from healthcare portals to social security systems to tax services — the need for more resilient MFA solutions has become urgent. The vulnerability of traditional MFA methods reveals a critical gap in the security landscape, one that more advanced phishing-resistant technologies are designed to address.

Phishing-resistant MFA

To address these concerns, governments are increasingly focusing on phishing-resistant MFA technologies like passkeys and hardware security keys. Australia’s Essential Eight cybersecurity framework has highlighted this shift by recently strengthening its requirements for phishing-resistant MFA across all maturity levels. Unlike traditional MFA, phishing-resistant MFA with passkeys relies on public-key cryptography and domain-binding, creating an environment that is immune to phishing. Even if an attacker sends a phishing email, the user is still safe, as there is no way to trick the user into revealing the private key of a passkey in a fake website.

This approach significantly reduces the cybersecurity risks faced by the public sector, making it a crucial strategy in modernising security protocols. To make meaningful progress in protecting citizens, government agencies must move away from password-based authentication and traditional MFA methods to fully embrace phishing-resistant passkeys, a viable solution for all demographics.

Conclusion

Phishing remains a significant issue for government agencies in Australia, and current MFA solutions often fall short in addressing this growing threat. The Australian Government’s Cyber Security Bill 2024 signals a turning point — but real progress will depend on implementing advanced, phishing-resistant solutions like passkeys which are the only viable option for large-scale usages.

The Australian Government’s updated cybersecurity strategy and revisions to the Essential Eight framework reflect the increasing need for secure, user-friendly authentication methods to safeguard the public sector. By adopting these advanced solutions, government agencies can better protect sensitive data, mitigate the risk of cyber attacks, and set new standards for cybersecurity best practices across the public sector.

<sup>1. Department of Home Affairs 2024, Introduction of landmark Cyber Security Legislation Package, <<https://www.homeaffairs.gov.au/news-media/archive/article?itemId=1247>>
2. Australian Signals Directorate 2024, Iranian cyber actors’ brute force and credential access activity compromises critical infrastructure, <<https://www.cyber.gov.au/about-us/view-all-content/news-and-media/iranian-based-cyber-actors-compromising-critical-infrastructure-networks>>
3. Office of the Australian Information Commissioner 2024, Notifiable data breaches report January to June 2024, <<https://www.oaic.gov.au/__data/assets/pdf_file/0013/242050/Notifiable-data-breaches-report-January-to-June-2024.pdf>>
4. Service NSW 2020, Service NSW cyber incident, <<https://www.service.nsw.gov.au/services/cyber-security/service-nsw-cyber-incident>></sup>

*Vincent Delitz is Managing Director at Corbado, a passkeys-as-a-service company specialising in large-scale deployments. With a focus on innovative, phishing-resistant MFA solutions, Vincent works closely with enterprises to improve user security, reduce SMS OTP costs, and streamline login experiences through passkeys.

Top image credit: iStock.com/aprott