APRA has reminded APRA-regulated entities that multi-factor authentication (MFA) is one of the most effective controls an organisation can implement to prevent an adversary from gaining access to a device or network and accessing sensitive information.
To be effective, MFA must use at least two elements of digital authentication. This includes:
a) Something the individual knows – for example, user IDs and passwords/credentials;
b) Something the individual has – for example, a security token, phone or other devices in the person’s possession used for the generation of a one-time password or code; and
c) Something the individual is – for example, retinal scans, hand scans, voice scans or other biometrics.
APRA’s requirements in this area are set out in Prudential Standard CPS 234 Information Security (CPS 234). CPS 234 requires APRA-regulated entities to maintain their information security capability commensurate with information security vulnerabilities and threats, including controls to protect information assets. The use of MFA, and the strength of authentication controls, should be commensurate with the information being protected.
Prudential Practice Guide CPG 234 Information Security (CPG 234) provides guidance to assist regulated entities and details the role of various authentication controls, including MFA, as well as passwords and cryptographic techniques, in strengthening identification and authentication.
APRA has noted that while MFA is a widely used technique to improve authentication controls, there are gaps in its implementation. APRA has noted examples where MFA for customers has been deployed on an opt-in basis, or where exceptions have been granted for customers without mobile phones or located in areas without reliable phone reception. Other examples include remote access being provided for third-party staff without associated MFA.
APRA expects APRA-regulated entities to review the coverage of MFA in their operating and technology environments.
If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.
Author: David Jacobson
Principal, Bright Corporate Law
Email:
About David Jacobson
The information contained in this article is not legal advice. It is not to be relied upon as a full statement of the law. You should seek professional advice for your specific needs and circumstances before acting or relying on any of the content.