Passkeys offer a phishing-resistant mode of authentication. Backed by tech giants Microsoft, Apple, and Google, passkeys leverage encrypted credentials stored on a digital or hardware device to replace passwords and weaker multi-factor authentication methods — prime vectors for cyber attacks.
Despite its growth in APAC, passkey adoption has been relatively slow in Australia. In the public sector, MyGov only recently introduced passkey logins for its online services. In the banking sector, One Time Passcode, or OTP multi-factor authentication, is still the de facto authentication method in the Australian market.
Geoff Schomburgk, vice president for Asia Pacific and Japan at Yubico, which offers hardware-bound passkeys, said adoption barriers include low cybersecurity maturity levels in the public sector, a concern for customer experience in the banking sector, and unwarranted perceptions that passkey rollouts are technically complex.
Yubico’s business took off when it worked with Google to integrate public key cryptography into YubiKeys and develop a new authentication protocol. With Google deciding to distribute YubiKeys to all employees, other global tech players followed, including Amazon, Facebook, Uber, and Microsoft.
“Pretty much all the global tech companies are using them at scale in their businesses,” Schomburgk said.
In APAC, global outsourcing is driving some adoption of YubiKeys in India and the Philippines. Adoption in Japan, Southeast Asia, Singapore, and Australia is “accelerating,” Schomburgk said, as organisations like Australia’s Atlassian seek the enhanced security benefits over legacy authentication methods.
SEE: The what, how and why of passkeys
Big tech is the enabler for the wider adoption of passkeys. In 2024, Microsoft launched user passkey availability on services like Bing, Microsoft 365, and Xbox.com, adding to global brands including Adobe, Amazon, Apple, Google, Hyatt, Nintendo, PayPal, PlayStation, Shopify, and TikTok.
According to the FIDO Alliance, the open industry alliance creating and promoting open standards for passkeys, the reach of passkeys had expanded to encompass 13 billion accounts in July 2024.
However, passkey technology use has not grown in Australia. There is an expectation that the technical availability of passkeys would lead to the rollout and replacement of passwords sooner to stop the phishing epidemic, but so far progress in Australia has been slow.
MyGov was among the first digital government services in the world to roll out a passkey option for users. As the central portal for government services in Australia, the move was a critical step in raising awareness for passkeys. The move is also in line with Australia’s Cyber Security Strategy 2023-2030.
The government said it got off to a strong early start, with 20,000 setting up passkeys within a week.
Other agencies have work to do. Phishing-resistant passwords are now required at Maturity Level 2 of Australia’s Essential Eight cyber security framework, following updates in November 2023 to combat weaker MFA implementations that are susceptible to real-time phishing or social engineering attacks.
But the most recent Commonwealth Cyber Security Posture report in November 2023 found only 25% of agencies measured up to Maturity Level 2, although this was an improvement on just 19% in 2022.
Schomburgk explained that cybersecurity maturity in the public sector varies across the three tiers of government, with federal government agencies leading the pack. Local governments, who tend to be smaller and more autonomous, are more reliant on usernames and passwords without a stronger MFA.
The banking sector in Australia is advanced in its cybersecurity efforts, but it has not yet made a collective jump to passkeys for customer authentication. The sector still relies on One Time Passcodes, a form of MFA that, although more effective than passwords alone, is still vulnerable to phishing.
A notable exception is digital bank Ubank, which launched passkeys in August 2024. The bank cited the $2.7 billion Australians lost to scams in 2023 as a reason for its decision and said passkeys would make it “harder for criminals to access accounts using stolen usernames and passwords.”
SEE: 5 benefits of passwordless authentication
Schomburgk said banks are generally advanced in deploying some form of MFA internally for their staff. However, there is also a growing realisation that MFA needs to be phishing-resistant to reach a higher level of security maturity. Yubico is working on the next steps with some Australian major banks.
Government agencies and banks must overcome some barriers to implement passkeys.
Perceived complexity and convenience: The perception of passkeys and physical security keys like YubiKeys being more complex and less convenient compared with traditional authentication methods.
Change management: IT and security leaders implementing passkeys must adapt to organisational change, often leading to employee resistance.
User education and awareness: There is a need to educate users on the benefits and convenience of passkeys, including that they are more secure and convenient than legacy authentication methods.
Integrating with legacy systems: In banking, integrating passkey support into existing online platforms and applications can seem like a technical challenge, as many have been developed independently.
Customer experience: Banks are highly sensitive to customer experience, with some reluctance to roll out new requirements for authentication when customers are conformable with existing processes.
Schomburgk said that organisations introducing passkeys should:
The perceived barriers to implementing passkeys are often greater than the actual technical challenges, according to Schomburgk. He encouraged organisations not to hold back and worry about potential issues. Instead, they should “get started on the journey,” and the technical solutions will become apparent.
The benefits of passkeys — including improved security and convenience for employees and customers — often outweigh the perceived barriers. Schomburgk argues that once organisations start implementing passkeys, they will find that the benefits can accelerate adoption.
Educating both IT staff and end-users about the advantages of passkeys over legacy authentication methods is important. Continuous communication and education, both internally and with the broader public, will help drive broader adoption over time.
Familiarisation with the technology and benefits can breed more widespread adoption. As agencies like MyGov continue to promote passkeys, and the use of passkeys or hardware-bound authenticators like YubiKeys grows in companies, early adopters are likely to encourage other users to embrace passkeys.