Australia is turning a corner in its adoption of passkeys
While passkeys have been on the radar of Australian businesses and governments for several years, it is only in the past few months that high-profile adoption has taken place.
The federal government, through Services Australia, is increasingly promoting passkeys as a way to authenticate in order to access digital services through the myGov web portal. The number of myGov account holders who took up the capability grew from 20,000 in early July to 170,000 in late August.
Around the same time, another high-profile adopter emerged: digital bank ubank. Its new-to-bank customers have been using passkeys to log into its mobile banking app since June, and ubank then expanded the capability to existing customers in early August. “Eventually, all ubank customers will be prompted to set up passkeys to log in to the ubank app from their device, if they haven’t already set one up,” the bank said.
Both organisations outlined their rationale for wanting customers to authenticate with passkeys instead of traditional username-and-password. For the government, it is about improving trust in digital service delivery, making it harder for scammers to steal and abuse logins for fraud and other purposes.
Meanwhile for ubank, the move is also about trust, but it’s also rooted in research on their target customer demographic. That research found nearly two in five people were more confident that they were protected from data, identity theft, scams and fraud if biometrics was used as part of the authentication process.
The difference that two years makes
The adoption of passkeys represents a key movement in the space of just two years. Passwordless authentication — an umbrella term that includes passkeys — was always seen as an obvious future direction for securing digital experiences, meeting customers’ needs in a secure manner. Enthusiasm for the technology over the past two years is largely unchanged. But two years ago, successfully configuring and deploying passwordless scenarios in applications and websites was considered exceedingly challenging.
A survey by Ping Identity and Yubico at the time found ubiquitous recognition of the benefits of passwordless, but “no current plans” among the majority of respondents to implement it.
Three key roadblocks to adoption were identified, all of them technical. There were challenges integrating a passwordless solution with existing digital systems; with accommodating various customer identity types while also adhering to industry-specific and geographical regulations; and with a lack of out-of-the-box passwordless solutions that could meet a wide variety of customer and organisational needs.
Some of these have since been resolved.
A key change has been to the operation of the security protocols that underpin passkeys and passwordless authentication. As this has improved over time, it has engendered more trust in the technology among technology teams and organisations, leading to increased adoption and use.
At the same time, users have become more comfortable with biometrics to authenticate to digital services. This has coincided with increased awareness of the need to move away from storing passwords on their devices. Many users have been caught up in data breaches, and want to move away from the current situation of having a password for every single digital service they interact with.
The final change is from an implementation and enablement perspective. The emergence of cloud-based solutions to implement and accelerate passwordless initiatives over the past two years has made a big difference. The best solutions in this space use templates and no-code, drag-and-drop orchestration to allow administrators to swiftly design, test and deploy various out-of-the-box passwordless registration and authentication experiences for diverse customer identity types, all at scale, with minimal manual setup.
Underpinning future service delivery models
Passkeys and other passwordless authentication methods are likely to support additional trends observed in Australia around driving customer contact predominantly — and eventually solely — into authenticated channels.
Australia’s banks have shown a keen interest in setting up their mobile apps as a place where customers can initiate all sorts of transactions, from monetary transactions through to seeking assistance from contact centre agents. For banks and other adoptees of this model, it means they know who the customer is, and the context of what they were trying to do immediately before they sought assistance. It also prevents having to first authenticate that a customer is who they say they are, before being able to provide assistance at that moment. This promotes a more frictionless user experience, which should result in customers receiving support and resolutions much faster.
We anticipate seeing this in-app digital service delivery model proliferate over the next five years. As more banks adopt passkeys as the way to authenticate to enter their mobile banking app, the technology will underpin the security for a broad array of services that come together inside of the app, taking care of the complex set of authorisations that will need to happen seamlessly behind the scenes to deliver these enhanced, frictionless, all-in-one digital experiences.
Scattered Spider: where every click is one step closer to chaos
Cybercriminal group Scattered Spider often uses social engineering to gain access to identities...
The MediSecure breach thrusts the security spotlight back on service providers
Organisations have been confronting security risks in their supply chains for years, but a new...
Managing third-party cybersecurity risks in the supply chain
Third-party cybersecurity breaches occur when the victim's defences are compromised through a...