New Zealand government agencies, Crown entities, and their contractors operate under the New Zealand Information Security Manual (NZISM) - the GCSB-published framework that sets the country's baseline for information security controls. When it comes to authentication, NZISM is clear: passwords alone are not enough, and the bar for privileged access is higher still.
This post breaks down what NZISM actually requires for authentication, where most agencies fall short, and how a hardware security key like YubiKey satisfies the controls in a way that SMS codes and authenticator apps simply cannot.
What is NZISM?
The NZISM is published and maintained by the National Cyber Security Centre (NCSC) under the Government Communications Security Bureau (GCSB). It defines mandatory and recommended controls for New Zealand government agencies managing information assets. Compliance is required for agencies handling RESTRICTED and above classified information, and it forms part of the broader Protective Security Requirements (PSR) framework.
The manual is structured around chapters covering everything from physical security to cryptography. Chapter 16 covers identity and access management - and this is where authentication requirements live.
What NZISM Requires for Authentication
The key controls most agencies need to meet are:
Control 16.4.37.C.02 - Privileged Accounts
Agencies MUST use two-factor or multi-factor authentication (MFA) to allow access to privileged accounts. This is a baseline control - it is not optional for any agency handling RESTRICTED information.
Control 16.7.41.C.01 - Risk Analysis
Agencies MUST undertake a risk analysis before designing and implementing MFA. The type of MFA chosen must be appropriate to the risk profile of the system and the sensitivity of the information being accessed.
Control 16.7.42.C.01 - External-Facing Systems
Where an agency has external-facing systems, cloud-based services, or is authenticating to third-party services, they MUST implement a secure, multi-factor process - including for credential reset workflows.
In plain terms: privileged users must use MFA, cloud access must use MFA, and the MFA method chosen must be appropriate to the risk. That last point is where most agencies get it wrong.
The Problem with SMS and Authenticator Apps
Many NZ agencies have satisfied the letter of the MFA requirement by deploying SMS one-time passwords or app-based authenticators like Microsoft Authenticator. These methods tick the "two-factor" box - but they do not meet the spirit of the NZISM risk analysis requirement for higher-risk environments.
Here is why:
- SMS codes can be intercepted via SIM-swapping, SS7 attacks, or social engineering of telco staff. New Zealand has seen high-profile SIM-swap attacks against individuals and organisations.
- Push notification fatigue is a documented attack vector. Adversaries bombard a user with MFA approval requests until they accidentally or frustratedly approve one.
- Authenticator app codes can be phished. A convincing fake login page can capture both the password and the TOTP code in real time, relaying them to the real service before they expire.
None of these weaknesses exist with hardware security keys. A YubiKey uses asymmetric cryptography bound to the specific origin - the domain of the legitimate service. A fake login page receives nothing useful from a YubiKey because the key's cryptographic response is tied to the real domain, not the attacker's site.
How YubiKey Meets NZISM Controls
FIDO2 and WebAuthn - YubiKey's primary authentication protocol - provides phishing-resistant MFA that satisfies NZISM's risk analysis requirement for privileged and high-risk access. For agencies operating under NZISM, this matters because the manual explicitly requires controls appropriate to the sensitivity of the information - and for RESTRICTED systems and privileged accounts, phishing-resistant MFA is the only defensible choice.
The YubiKey 5 Series supports:
- FIDO2 / WebAuthn - phishing-resistant authentication for modern cloud services and identity platforms
- Smart Card / PIV - certificate-based authentication for legacy government systems, VPN access, and Windows logon
- OTP - one-time password support for systems not yet supporting FIDO2
- OpenPGP - for secure email and document signing
This multi-protocol support means a single YubiKey can cover the full range of systems a government user encounters - from Microsoft 365 and Entra ID to legacy on-premise systems still relying on smart card authentication.
For agencies with Federal Information Processing Standard requirements, the YubiKey 5 FIPS Series provides FIPS 140-2 validated cryptographic modules, meeting the requirements for agencies whose procurement frameworks or contracts require validated cryptography.
Integration with Microsoft Entra ID and Active Directory
Most NZ government agencies run Microsoft 365 and have Entra ID (formerly Azure AD) as their identity platform. YubiKey integrates natively with Entra ID as a FIDO2 security key, supporting both passwordless and MFA authentication workflows without additional middleware.
For agencies still running on-premise Active Directory, YubiKey supports Smart Card / PIV authentication and Windows logon via the Yubico minidriver - requiring no changes to existing PKI infrastructure.
Practical Deployment for NZ Agencies
Deploying YubiKeys across an agency team is straightforward:
- Choose the right key - USB-A (YubiKey 5 NFC) for standard desktop environments, USB-C (YubiKey 5C NFC) for modern laptops, USB-C and Lightning (YubiKey 5Ci) for staff using iPhones. The FIPS variants are available in all form factors for agencies with validated cryptography requirements.
- Register with your identity platform - Entra ID, Okta, Duo, and most major platforms support FIDO2 security keys natively.
- Enforce phishing-resistant MFA - use Conditional Access policies in Entra ID to require FIDO2 authentication for privileged accounts and sensitive applications.
- Issue two keys per user - standard practice is to register a primary key and a backup. Trust Panda can supply keys in pairs or bulk quantities with consistent firmware versions.
Trust Panda supplies YubiKeys to government agencies, councils, Crown entities, and public sector contractors across New Zealand, with volume pricing and deployment guidance available on request.
Summary
NZISM requires MFA for privileged accounts and cloud-connected systems - and the risk analysis requirement means the MFA method must be appropriate to the threat environment. For most government workloads, that means phishing-resistant authentication. YubiKey hardware security keys deliver exactly that, with native integration into the Microsoft identity stack most agencies already run.
If you are planning an MFA deployment to meet NZISM requirements, or upgrading from SMS or app-based authentication to a phishing-resistant solution, view our YubiKey for Government range or contact us to discuss your agency's requirements.
