How FIDO2 Works
FIDO2 leverages public-key cryptography, eliminating the need to transmit passwords over the network. It involves an authenticator (hardware security key, fingerprint reader, etc.) and a relying party (the service being accessed). During registration, a key pair is generated – the public key is stored with the relying party, while the private key remains securely within the authenticator. Authentication then relies on cryptographic signatures, making it extremely difficult for attackers to steal credentials.
FIDO2 and the ACSC Essential Eight
The Australian Cyber Security Centre’s Essential Eight Maturity Level 2 (ML2) now mandates phishing-resistant MFA for privileged accounts and those routinely accessed over the internet. FIDO2 is a practical and increasingly common solution to meet this requirement. Many AU mid-market organisations are adopting FIDO2 to bolster their security posture, particularly given the ongoing threat landscape and the increasing scrutiny from regulators like APRA and the OAIC regarding data security and privacy obligations under the Privacy Act 2024.