TL;DR
SMS and phone-call MFA are no longer sufficient against modern threats like SIM swapping and adversary-in-the-middle phishing kits. Australian SMBs must upgrade to phishing-resistant authentication methods and implement conditional access policies to protect their Microsoft Entra ID and Google Workspace environments against sophisticated cyber attacks.
Why SMS and Phone MFA Are No Longer Enough
Get Our Weekly Cybersecurity Digest
Every Thursday: the threats that matter, what they mean for your business, and exactly what to do. Trusted by SMB owners across Australia.
No spam. No tracking. Unsubscribe anytime. Privacy
Traditional SMS and voice-based MFA once provided reasonable security, but attackers now routinely bypass these controls. SIM swapping attacks allow criminals to hijack mobile numbers by convincing telcos to port numbers to attacker-controlled devices. More concerning are adversary-in-the-middle (AiTM) phishing kits like Evilginx and Tycoon, which proxy legitimate login pages in real-time, capturing both credentials and SMS codes as users authenticate.
The Australian Cyber Security Centre (ACSC) now explicitly recommends against SMS-based MFA for high-value accounts. Under the Australian Privacy Act and Notifiable Data Breaches scheme, organisations failing to implement adequate authentication controls face regulatory scrutiny foll
Free Resource
Get the Free Cybersecurity Checklist
A practical, no-jargon security checklist for Australian businesses. Download free — no spam, unsubscribe anytime.
Send Me the Checklist →Phishing-Resistant Authentication Options
Phishing-resistant MFA methods cannot be intercepted or replayed by attackers, even when users are tricked into visiting malicious sites. FIDO2/WebAuthn standards underpin modern passkeys and hardware security keys like YubiKey, using public-key cryptography bound to the origin domain. This means credentials generated for your legitimate Microsoft login page will not work on an attacker's Evilginx proxy, even if the user is deceived.
For organisations not ready to deploy hardware keys broadly, Microsoft Authenticator with number matching provides an interim upgrade. Unlike traditional push notifications (vulnerable to MFA fatigue attacks where users approve spammed requests), number matching requires users to enter a specific code displayed on the login screen, proving they are actually viewing the genuine authentication interface. Google Workspace offers similar Titan Security Keys or Advanced Protection Program enrolment for high-risk users.
Conditional Access Policy Implementation
Conditional access policies evaluate signals — user identity, device compliance, location, and risk level — to enforce organisational access controls dynamically. Unlike static MFA requirements, conditional access allows granular rules: requiring hardware keys only for administrators, blocking downloads from unmanaged devices, or denying access from high-risk countries.
Both Microsoft Entra ID (formerly Azure AD) and Google Workspace provide conditional access capabilities, though Microsoft requires Entra ID P1 or P2 licences for full policy control. For Australian SMBs, these policies integrate with device management platforms like Microsoft Intune or Google Endpoint Verification to ensure only compliant, patched devices access corporate data.
ISO 27001 SMB Starter Pack — $97
Everything you need to start your ISO 27001 journey: gap assessment templates, policy frameworks, and implementation roadmap built for Australian SMBs.
Get the Starter Pack →The 6-Policy Starter Pack for Australian SMBs
Implement these foundational conditional access policies to align with ACSC Essential Eight maturity requirements:
Block legacy authentication protocols – Disable Basic Auth, IMAP, and POP3 which bypass MFA entirely. Attackers actively scan for these protocols using credential stuffing and password spray tools.
Require MFA for all administrative actions – Protect Global Administrator, Super Admin, and privileged role accounts with the strongest authentication available. These accounts manage your security configuration and represent your highest risk.
Require compliant or managed devices – Block access from personal devices lacking endpoint protection, encryption, or recent security updates. Integrate with your MDM to verify device health before granting access.
Geofence login locations to Australia and trusted regions – Block or challenge authentications from high-risk countries where your organisation has no legitimate business presence. Consider additional verification for travel outside Australia and New Zealand.
Enforce session timeouts and continuous access evaluation – Terminate sessions after 12 hours or when risk indicators change (impossible travel, anonymous IP usage). This limits the window of opportunity for session hijacking.
Require phishing-resistant MFA for high-risk actions – Mandate FIDO2 keys or certificate-based authentication for password resets, privileged access workstation logins, and sensitive data downloads.
FAQ
What is conditional access and do I need a premium licence?
Conditional access evaluates multiple signals before granting resource access. Microsoft requires Entra ID P1 (included in Microsoft 365 Business Premium) or P2 for custom policies. Google Workspace Business Plus and Enterprise tiers offer similar context-aware access controls through BeyondCorp.
Can I enforce these policies without buying expensive hardware keys for everyone?
Yes. Start with Microsoft Authenticator number matching or Google prompt-based challenges for general staff, reserving hardware keys (approximately $50–100 AUD per device) for administrators and high-risk users handling financial or customer data.
How do I handle remote workers or staff travelling overseas?
Implement named location policies allowing specific countries while requiring additional verification. Use temporary access passes or compliant device requirements rather than blanket geographic blocking, ensuring business continuity while maintaining security.
What happens if someone loses their security key?
Maintain backup authentication methods registered to each account (a secondary hardware key stored securely or Microsoft Authenticator as backup). Establish clear procedures for temporary access while replacements are provisioned, ensuring IT can verify identity through out-of-band channels before resetting MFA methods.
Conclusion
Australian SMBs can no longer rely on basic MFA to protect against determined attackers. By implementing phishing-resistant authentication and the six conditional access policies outlined above, you align with ACSC Essential Eight guidance while meeting obligations under Australian privacy legislation. Start by auditing your current MFA methods, identifying privileged accounts requiring immediate protection, and planning your conditional access deployment.
Visit consult.lil.business for a free cybersecurity assessment tailored to your organisation's Microsoft 365 or Google Workspace environment.
References
Australian Cyber Security Centre. Essential Eight Maturity Model. https://www.cyber.gov.au/resources-business-and-government/mandatory-cyber-incident-reporting/essential-eight/essential-eight-maturity-model
National Institute of Standards and Technology. SP 800-63B Digital Identity Guidelines: Authentication and Lifecycle Management. https://pages.nist.gov/800-63-3/sp800-63b.html
Microsoft Learn. Phishing-resistant authentication methods in Microsoft Entra ID. https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →
lilMONSTER Newsletter
Weekly cybersecurity insights, practical tips, no spam. Unsubscribe anytime.