The Australian government announced in 2023 that it would phase out the use of passwords to access key government digital service platform myGov. In the first half of 2024, Australians may be asked to adopt passkeys, which use individual biometric data to authenticate users.

The myGov passkey push across the Australian population will pave the way for IT leaders to adopt this more secure form of authentication in the private sector as public awareness and education rise. This could minimise the risk of phishing and elevate cyber security for Australian businesses.

Passkeys to protect myGov users from escalation in scams

The Australian government said passkeys will be rolled out for users of myGov during the first half of 2024. This marks a substantial move towards the adoption of passkeys in the Australian market, as there are approximately 26 million active accounts for the all-of-government digital platform and 3.3 million app users. The service is being accessed 782,000 times per day.

Why are passkeys being rolled out for critical government services?

The Australian government has been concerned about the security protection offered by passwords. As it seeks to build national defences as part of the 2023-2030 Australian Cyber Security Strategy, adopting more secure technologies and educating Australians has become a priority.

SEE: Australia’s security teams will need to stay ahead of cyber security trends.

Because passkeys utilise biometric data like fingerprint scans or facial recognition, along with a cryptographic authentication key on a device to authenticate users, the Australian government hopes to prevent people from using phishable passwords, while providing a better digital experience.

The problem with passwords

Passwords have become a problem for Australian public and private sector organisations:

  • There is evidence that many people still use simple passwords that are easy for cybercriminals to crack or recycle the same passwords across multiple services.
  • Passwords are a target of the phishing industry, which often tries to lure unsuspecting users into providing log-in credentials to allow cybercriminals access to systems.
  • Passwords can be readily used by criminals if the credential data is made available via a data breach or leak, and they are a popular item for sale on the dark web.

The Australian government said cybercriminals are using “scam-in-a-box” kits available on the internet to create fake websites with which to launch phishing attacks on Australians with Centrelink, Australian Tax Office and Medicare accounts. The scam-in-a-box kits allow cybercriminals to harvest user IDs and passwords from large numbers of users, which can be sold on the dark web. Passkeys would help to eliminate this by removing passwords.

Adoption of passkeys is picking up and will increase in pace

Major tech companies Apple, Google and Microsoft have spearheaded growing momentum towards passkey adoption. They announced in 2022 that they were moving to support passwordless log-ins, in line with global standards created and administered by authentication body FIDO Alliance.

SEE: Google adds passkey option to replace passwords on Gmail.

They have since been joined by Amazon and a range of consumer brands including Adobe, TikTok, Shopify and PayPal. Some IT teams have also been deploying passkeys for workforces, including those at Fox, Hyatt, Intuit and Target, according to FIDO Alliance.

The 2023 Workforce Authentication Report released by FIDO Alliance and password manager LastPass, which backs the move to passkeys, indicates many businesses already see the benefit of moving towards passkeys. It found 92% of global businesses think passkeys will benefit their security posture, and 93% agree they will help reduce “shadow IT” applications.

Australian organisations have a strong appetite for passkey adoption

The survey from FIDO Alliance, which included 200 business respondents in Australia, found that 94% of Australian respondents have already moved or were planning to move within the next two years to passwordless technology, ahead of the global average of 92%.

A larger proportion of Australian businesses (94%) also believed passkeys would benefit their security posture. The FIDO Alliance said it showed Australia was “rapidly looking to minimise reliance on legacy authentication methods in favour of user-friendly, phishing-resistant sign-ins.”

Challenges to widespread passkey adoption still exist

The majority of Australian organisations are still using phishable forms of authentication, the FIDO Alliance said. This includes:

  • One-time passcodes sent to a handset or tablet (41%).
  • Manually entering passwords (27%).
  • Using multi-factor authentication (36%).

The survey acknowledged a key challenge to adoption will be education, which will take time. IT leaders surveyed said they need education on how passwordless technology works and how to deploy it, while 25% said users may resist change to or use of the new technology.

SEE: Managing change plays a big role in business culture.

While the workforce adoption of passkeys is still in its infancy, the public sector’s proactive passkey rollout for myGov could act as a strong catalyst for wider adoption as the government does the work of educating users and encouraging adoption of the new technology.

What should IT pros think about before introducing passkeys?

Passkeys are likely to gain traction among Australian organisations, especially considering the risks of password compromise through phishing, which remains a key cyber security risk. Organisations will need to think through the issues before the rollout of the technology.

Framing the adoption of new passkey technologies

IT leaders should be armed with a clear narrative about the purpose and functionality of passkeys, to ensure change management success. Assisted by growing awareness around the impact of phishing scams in Australia and the potential positive impact on user experience from passkeys, a cohesive story could ease introduction and adoption.

Educating workforces and customers on passkeys

Though the Australian government will be doing a lot of legwork to educate the public around passkeys as part of the myGov rollout to ensure they are adopted by a large number of users, businesses will still need to consider how they support the delivery of education and onboarding for the technology to ensure smooth rollout for their employees and customer bases.

Address the business and technical challenges

Some technical effort will be required from developers to add passkeys to apps and websites, and businesses will need to prioritise the authentication upgrade among other competing priorities. There has also been fragmentation in approaches, with one Google product manager saying that, although the tech exists, the industry is still figuring out how to implement it.


Leave a Reply

Your email address will not be published. Required fields are marked *