Not all multi-factor authentication is created equal. While any form of MFA is better than a password alone, New Zealand's National Cyber Security Centre (NCSC) and the New Zealand Information Security Manual (NZISM) are increasingly clear that for privileged and remote access, only phishing-resistant methods meet the bar. For financial services firms, government agencies, and critical infrastructure providers, understanding this distinction is no longer optional.
This post breaks down what the NZISM says about MFA, why phishing-resistant authentication is fundamentally different from SMS codes and push notifications, and why hardware security keys are the most practical way to meet these requirements at scale.
What the NZISM Requires
The NZISM is the New Zealand Government's primary manual on information assurance and information systems security. While it is mandatory for government departments and agencies, Crown entities and private sector organisations are actively encouraged to adopt its controls, and many regulated industries increasingly reference it as a baseline.
On authentication, the NZISM is direct. Control 16.4.37.C.02 mandates that agencies must use two-factor or multi-factor authentication to allow access to privileged accounts. For external-facing systems, cloud-based services, and third-party authentication, control 16.7.42 sets out additional MFA requirements covering credential reset and access management processes.
Importantly, NZISM Section 16.7.1 goes further, recommending phishing-resistant MFA methods, specifically hardware tokens and biometric authentication, for privileged and remote access accounts. This recommendation from the NCSC reflects a global shift in understanding: that SMS OTPs, email codes, and push notification approvals, while technically multi-factor, are not resistant to the attacks most commonly used to compromise accounts today.
Why Ordinary MFA Is No Longer Enough
The weakness in most MFA deployments is not the factor itself, it's the assumption that the user can reliably distinguish a legitimate authentication request from a fraudulent one. Modern phishing attacks exploit this directly.
Adversary-in-the-middle (AiTM) phishing kits, now widely available and increasingly automated, sit between the user and the legitimate service, relaying credentials and MFA codes in real time. The user enters their password and approves an SMS code or push notification believing they are logging in normally. They are not. The attacker has already used those credentials to open a session on the real service.
MFA fatigue attacks work differently but are equally effective. An attacker who already has a user's password floods them with push notification approval requests until the user, often frustrated or confused, taps approve. This technique was used in high-profile breaches at Uber and Cisco in 2022, and it continues to appear in incident reports globally.
Neither of these attacks works against phishing-resistant MFA, because phishing-resistant authentication does not rely on user judgement. It relies on cryptography.
How Phishing-Resistant Authentication Works
Phishing-resistant MFA, most commonly implemented via FIDO2/WebAuthn-compatible hardware security keys, uses asymmetric cryptography to authenticate the user. When a key is registered with a service, a unique public-private key pair is generated. The private key never leaves the device. During authentication, the device signs a challenge that is cryptographically bound to the specific domain requesting authentication.
This domain binding is the critical control. If a user is directed to a fraudulent site, even one that looks identical to the legitimate service, authentication will simply fail. The key will not respond to a challenge from the wrong domain. There is no code for an attacker to intercept, no push notification to approve, and no user decision that determines whether access is granted. The protocol enforces it automatically.
Google reported zero successful phishing attacks against its workforce after deploying FIDO security keys across more than 85,000 employees. That outcome is not exceptional. It reflects the structural security guarantee that hardware-based phishing-resistant authentication provides.
Why This Matters for Financial Services, Government, and Critical Infrastructure
These sectors share common characteristics that make phishing-resistant MFA a priority rather than a preference.
Financial services organisations hold high-value credentials and customer data that make them persistent targets. Regulatory expectations around access security are tightening, and a breach involving compromised administrative credentials carries significant regulatory and reputational consequences. Phishing-resistant MFA for privileged users and remote access is rapidly becoming an expectation, not a differentiator.
Government agencies operating under the NZISM have explicit obligations around privileged account access. As the NCSC notes in its guidance on third-party data breaches, administrators must not be excluded from MFA requirements, and phishing-resistant methods are the recommended standard for high-risk access paths. Agencies that rely on SMS OTP or basic push for privileged access are carrying risk that the NZISM controls are designed to mitigate.
Critical infrastructure providers, including energy, telecommunications, and transport operators, are increasingly subject to cyber security obligations that mirror government requirements. A compromise of operational technology access through stolen credentials would have consequences far beyond the organisation itself. The attack surface for remote access in these environments demands the strongest available authentication.
Hardware Security Keys: The Practical Implementation
FIDO2-certified hardware security keys, such as the YubiKey range from Yubico, are the most widely deployed phishing-resistant MFA method in enterprise and government environments. They are compatible with hundreds of platforms and applications including Microsoft Entra ID, Okta, Google Workspace, and most major VPN and PAM solutions. They work across Windows, macOS, Linux, iOS, and Android, and they require no battery, no mobile network, and no connectivity beyond the device itself.
For privileged access specifically, hardware security keys offer additional advantages: they can be PIN-protected, they support user verification as part of the authentication ceremony, and they provide hardware attestation, which allows organisations to verify that only approved device models are used for authentication.
Deployment does require planning. Organisations need to consider key provisioning, backup key processes, recovery workflows for lost devices, and integration with existing identity infrastructure. Trust Panda's Yubico-certified engineers have supported deployments of all sizes across enterprise and government environments, and we can assist New Zealand organisations with both the procurement and the technical rollout.
Where to Start
If your organisation is assessing its MFA posture against NZISM requirements, the starting point is identifying where phishing-resistant authentication is most urgently needed. Privileged accounts and remote access paths are the logical first priority. From there, a phased rollout to broader user populations is both practical and recommended.
Trust Panda supplies the full YubiKey range in New Zealand, including the YubiKey 5 Series, Security Key Series, and YubiKey Bio, with local stock and volume pricing available. To discuss your requirements, contact our sales team at sales@trustpanda.com or browse our range at trustpanda.co.nz.
Meeting the NZISM's intent on phishing-resistant MFA is achievable. The technology is mature, the deployment path is well-understood, and the protection it provides is substantial. The question is not whether to implement it, but how quickly.
