Use of multi-factor authentication (MFA)

To: All APRA regulated entities 

The recent spate of high-profile cyber-attacks in Australia are a timely reminder to APRA-regulated entities to remain vigilant and to continue to take steps to reduce the likelihood and impact of cyber-attacks. Multi-factor authentication (MFA) is one of the most effective controls an organisation can implement to prevent an adversary from gaining access to a device or network and accessing sensitive information. MFA is one of the Essential Eight¹ mitigation strategies to protect against cyber threats. To be effective, MFA must use at least two elements of digital authentication. This includes: 

a) Something the individual knows – for example, user IDs and passwords/credentials; 

b) Something the individual has – for example, a security token, phone or other devices in the person’s possession used for the generation of a one-time password or code; and 

c) Something the individual is – for example, retinal scans, hand scans, voice scans or other biometrics. 

APRA’s requirements in this area are set out in Prudential Standard CPS 234 Information Security (CPS 234). CPS 234 requires APRA-regulated entities to maintain their information security capability commensurate with information security vulnerabilities and threats, including controls to protect information assets. The use of MFA, and the strength of authentication controls, should be commensurate with the information being protected.  

Prudential Practice Guide CPG 234 Information Security (CPG 234) provides guidance to assist regulated entities and details the role of various authentication controls, including MFA, as well as passwords and cryptographic techniques, in strengthening identification and authentication.  

CPG 234 Information Security outlines examples where strengthened authentication is typically required to prevent false identification leading to unauthorised access: 

a) administration or other privileged access to sensitive or critical information assets; 

b) remote access (i.e. via public networks) to sensitive or critical information assets; and 

c) high-risk activities (e.g. third-party fund transfers, creation of new payees). 

As part of its regular supervisory activities of regulated entities, APRA has noted that while MFA is a widely used technique to improve authentication controls, there are gaps in its implementation. APRA has noted examples where MFA for customers has been deployed on an opt-in basis, or where exceptions have been granted for customers without mobile phones or located in areas without reliable phone reception. Other examples include remote access being provided for third-party staff without associated MFA.  

APRA expects APRA-regulated entities to review the coverage of MFA in their operating and technology environments. Where gaps in the coverage of MFA have the potential to materially affect, financially or non-financially, the entity or the interests of depositors, policyholders, beneficiaries or other customers, APRA would consider this to be a material security control weakness, and under paragraph 36 of CPS 234 require an entity to notify APRA.  

APRA plans to review CPS 234 in due course, to clarify our expectations on information security controls and provide additional guidance for industry. 

More information on APRA’s requirements on information security can be found here.  Please contact your supervisor should you have any questions regarding the content of this letter. 

Yours sincerely, 

Alison Bliss  
General Manager, Operational Resilience 
Cross Industry Division 

Footnote

¹ Resources for business and government - Essential Eight.