Older Applications and the MFA Gap

Older applications, built with outdated technology frameworks, are relics of a past time when cybersecurity factors were very different from today or even not present at all. 

These applications from the past were forged in an age when security was but an afterthought, their foundations laid without the foresight of today’s modern security paradigms. Consequently, they now find themselves ensnared in a web of vulnerabilities, exposed to a plethora of lurking threats.

One such vulnerability is the absence of Multi-Factor Authentication (MFA), a cornerstone of contemporary security practices. Unlike their modern counterparts, legacy applications lack native support for MFA, leaving them defenceless against the modern-day onslaught of threat actors. A with an arsenal of techniques, malicious actors prey upon the frailty of compromised credentials like vultures.

MFA on legacy applications is an important consideration for the Essential Eight because:

  • It reduces the risk of credential compromise and unauthorized access to sensitive data and systems.
  • It helps mitigate common attack vectors such as phishing, brute force, and password spraying.
  • It aligns with the ACSC’s best practices for securing user authentication and improving cyber resilience.
  • It enables organisations to comply with regulatory and industry standards that require MFA for certain applications and services.

Hence, adding MFA to legacy applications is a crucial measure for improving cybersecurity and preventing modern attacks.

Why is MFA Important?

1. Enhanced Security –

MFA enhances security by using an extra level of safeguard besides the usual single-factor authentication (e.g., passwords). Even if a hacker gets hold of a user’s password, they will still require the second factor (such as a mobile app or hardware token) to access.

2. Mitigating Credential Theft –

Legitimate user credentials are often attacked by malicious actors. They can use a system breach to get these credentials and access other parts of a network without requiring more exploits. MFA increases the difficulty for attackers to abuse stolen credentials.

3. Reducing the Impact of Phishing –

Single-factor authentication methods (such as passwords) can be compromised by phishing attacks. But MFA methods that are phishing-resistant (like time-based one-time passwords or push notifications) offer a more secure option.

 4. Masking Malicious Activities –

Remote access solutions (such as VPNs) are attractive targets for attackers who want to hide their actions. Using MFA for such services makes sure that even if an attacker breaks in, they cannot spread easily within the network.

In the absence of MFA, legacy applications cling desperately to outdated authentication methods, primarily relying on passwords as their last line of defence. Yet, passwords, once revered as the keys to adequate protection, now serve as mere tokens of vulnerability, easily exploited by adversaries.

Without MFA, legacy applications stand naked and exposed, vulnerable to unauthorised access. It is a sobering reality, a stark reminder of the consequences of neglecting the evolution of security in the ever-changing landscape of technology. Let us not forget the lessons of the past and the vulnerabilities that lie dormant within the legacy apps of yesteryear.

Strategies for Adding MFA to Legacy Applications

1. Identity Orchestration Platforms: these platforms act as intermediaries between the application and the user. By integrating MFA capabilities at this layer, organisations can enhance security without modifying the legacy application itself.

2. Access Proxies: access proxies offer efficient ways to integrate MFA with legacy applications. They provide cost-effective methods for securing access without extensive development efforts.

3. Phasing Out Weak Authentication Methods: Organisations should gradually phase out weak authentication methods (such as SMS-based codes) in favour of more robust MFA options.

ACSC’s Essential Eight and MFA

The ACSC’s Essential Eight is a set of cybersecurity strategies aimed at mitigating common threats. MFA is one of these essential controls. By implementing MFA, organisations align with ACSC’s recommendations and significantly improve their security posture.

In summary, MFA is not just a nice-to-have; it’s a critical component of a robust security strategy. For legacy applications, integrating MFA through identity orchestration platforms or specialised solutions ensures better protection against credential-based attacks and enhances overall security.

Remember, security is a journey, and safeguarding legacy applications is an essential part of that journey.


The Essential Eight framework is a model of cybersecurity excellence that covers a comprehensive set of strategies to protect against modern threats. By implementing MFA on legacy applications, one of the essential controls, organisations can reduce the risk of credential compromise and unauthorised access to sensitive data and systems. MFA can be added to legacy applications through identity orchestration platforms or access proxies, without modifying the application itself.

Why Frame?

Frame can mitigate this security risk in two ways.

Firstly, Frame’s Australian-based software development team specialise in modernising legacy proprietary software applications so that your beloved old software application can not only integrate with other modern software but is also able to integrate into modern security solutions such as MFA.

Secondly, our Frame Secure practice offers a fast and reliable way to assess your Essential Eight compliance, giving you assurance that you meet the highest standards of cybersecurity. Our team of experts are accredited by Microsoft, Cisco, VMware and other leading vendors, ensuring that you get the best advice and solutions for your needs.