Back in 2021, Okta wrote about the ACSC's updated Essential Eight maturity model and its landmark decision to extend multi-factor authentication (MFA) to more contexts. That change marked a significant shift: MFA was no longer just for remote access, but a baseline expectation across the public sector workforce and for many citizen-facing services.

Four years on, the Essential Eight has continued to evolve. Today, it is not only a baseline for government but the yardstick for cyber resilience across all industries. And the challenge has shifted once again: organisations must now move beyond baseline protections and target Maturity Level 3, advanced safeguards that can withstand the identity-driven attacks most common in today's threat landscape.

Why the Essential Eight Matters

Cybersecurity incidents in Australia are accelerating. The Australian Institute of Criminology recently found that nearly half of Australians experienced a cybercrime in the past year, including identity theft, fraud, and malware attacks.

The Australian Signals Directorate (ASD) has observed a similar pattern in its own incident response work: most incidents stem from weak identity controls and poor cyber hygiene. To address this, ASD created the Essential Eight—a practical, risk-based set of mitigation strategies that dramatically reduce the likelihood of a breach.

While the strategies were initially drawn from ASD's experience responding to compromises of Microsoft Active Directory networks, seven of the eight controls are broadly applicable to any environment. The Essential Eight has evolved into the benchmark for cyber resilience across industries.

Who Needs the Essential Eight?

The Protective Security Policy Framework (PSPF) makes compliance mandatory for all Australian Government agencies. They must reach Maturity Level 2 across each of the eight strategies.

But the Essential Eight is just as important for the private sector. The ASD recommends that all Australian organisations, from small businesses to critical infrastructure providers, implement these strategies as a baseline defence. If your organisation connects people, devices, or services online, the Essential Eight applies to you.

The Essential Eight Maturity Model

The Essential Eight Maturity Model (E8MM) helps organisations take a staged approach to security uplift. Instead of chasing perfect controls in a few areas, the model emphasises a consistent baseline across all eight.

  • Maturity Level 1: Basic protections.

  • Maturity Level 2: Stronger baseline - mandated for government.

  • Maturity Level 3: Advanced protections that withstand targeted, identity-driven threats.

In today's environment, Level 3 is the target every organisation should aspire to.

Why? Because the threat landscape has shifted. Phishing-as-a-service platforms can now clone trusted brands in minutes. Adversary-in-the-middle (AiTM) attacks steal session tokens to bypass weak MFA. And MFA fatigue campaigns pressure users into approving fraudulent requests.

Okta has seen first-hand how these attacks play out - they are fast, scalable and often successful against legacy MFA. Maturity Level 3 is about staying one step ahead, not playing catch-up.

Why Okta

Meeting Level 3 maturity requires strong identity-first controls. This is where Okta can help.

At Okta, we view identity as the control plane for cybersecurity, as all access decisions, device posture checks, and policy enforcement flow through it. If you don't secure identity, you don't secure your business.

As the world's largest independent identity provider, Okta helps organisations move faster towards Essential Eight Maturity Level 3. We do this by:

  • Delivering phishing-resistant MFA across the workforce, customer, and privileged accounts.

  • Enforcing least privilege access and enabling zero standing privilege for administrators.

  • Providing device assurance and identity posture management to block risky endpoints.

  • Offering robust logging, monitoring, and attestations to support compliance.

Okta has also been independently assessed at IRAP PROTECTED, giving customers confidence that our services meet stringent Australian government standards.

How Okta Supports the Essential Eight

Apply Multi-Factor Authentication (Primary Role)

Okta makes MFA simple to deploy for every identity - workforce, customer, partner, and administrator. We support a wide range of factors, including FIDO2 passkeys, Okta FastPass, and PIV smart cards.

Restrict Administrative Privileges (Primary Role)

Okta helps organisations eliminate standing admin rights with:

  • Just-in-time access to privileged resources.

  • Approval workflows and certification campaigns to validate access.

  • Identity Security Posture Management to discover unused or risky admin accounts.

  • Immutable logs for all privileged activity.

Okta Privileged Access can gate administrative access to servers, secrets, and service accounts behind phishing-resistant MFA, with every action recorded in immutable logs. Identity Security Posture Management helps security teams discover misconfigurations and unused admin accounts in downstream SaaS apps.

Device Context & Posture (Supporting Role)

Okta enforces device posture policies so that users with outdated browsers or operating systems cannot access sensitive systems. This evaluation relies on the device context gathered from the end-user device by a trusted agent. Okta customers can use signals on managed devices via endpoint security and posture integrations, or on unmanaged devices only using Okta Verify. 

Implement Application Control & Harden Applications (Supporting Role)

While application control and hardening requirements are best met with partner solutions, Okta plays a supporting role in reducing risk by ensuring that only the right people access the right resources.

With the Workforce Identity Cloud, administrators can:

  • Manage access through group-based or attribute-based assignments.

  • Automate joiner, mover, and leaver processes via integration with HRIS systems.

  • Gain visibility into user access, group memberships, and assignments.

  • Use Identity Governance to conduct periodic certification campaigns and revalidate entitlements.

Backup Data & Restrict Macros (Supporting Role)

Backup and macro restrictions are outside Okta's direct scope. However, customers benefit from:

  • Resilient cloud services backed by a 99.99% SLA.

  • APIs for configuration backup, with partner integrations to automate retention and restore.

Configuring for Maturity Level 3

Moving to Level 3 doesn't need to be complex. Okta provides the building blocks to align authentication and access policies with ASD’s requirements:

·   MFA enforcement for all privileged accounts.

·   Use of phishing-resistant factors.

·   Device assurance checks at every login.

All authentication and privileged access events in Okta are recorded in immutable logs, which can be streamed to security operations tools in near real time. This visibility is key to meeting Maturity Level 3 requirements.

Okta's Security Program

Okta is more than a technology partner - we are a security-first organisation. Our services have been independently assessed at IRAP PROTECTEDProtected, giving customers confidence that our services meet stringent Australian government standards.

Get Started Today

Australian organisations don't just need compliance; they also need confidence that their defences can withstand modern attackers.

Okta helps you:

  • Deploy phishing-resistant MFA everywhere.

  • Transition to least privilege and zero standing privilege.

  • Strengthen device and session posture.

The question is no longer if you'll face identity-driven attacks, but when. The Essential Eight gives you a proven foundation, and Okta helps you reach it faster.

For more detail on how Okta’s product portfolio helps organisations achieve the highest levels of ACSC Essential 8 Maturity, read the full document here.