Passcodes provide a secure method of authentication, resistant to phishing. Supported by tech giants such as Microsoft, Apple, and Google, passcodes utilize encrypted credentials stored on a digital or hardware device to substitute passwords and other less secure multi-factor authentication techniques that are common targets for cyber threats.
While adoption of passcodes has been on the rise in APAC, Australia has been slow in embracing this technology. In the public sector, only recently has MyGov introduced passcode logins for its online services. The banking sector in Australia still heavily relies on One Time Passcode (OTP) multi-factor authentication as the primary method of verification.
Geoff Schomburgk, the Vice President for Asia Pacific and Japan at Yubico, a provider of hardware-bound passcodes, highlighted that barriers to adoption in Australia include low levels of cybersecurity maturity in the public sector, concerns regarding the impact on customer experience in banking, and misconceptions about the complexity of implementing passcode systems.
Passcode technology and YubiKey product experiencing growth in APAC
Yubico’s collaboration with Google to integrate public key cryptography into YubiKeys and develop a new authentication protocol marked a turning point for their business. Following Google’s decision to distribute YubiKeys to all employees, other global tech giants like Amazon, Facebook, Uber, and Microsoft quickly followed suit.
Schomburgk noted that major tech companies globally are adopting passcodes at a large scale for their operations.
The adoption of YubiKeys is on the rise in APAC due to global outsourcing, particularly in countries like India and the Philippines. Schomburgk highlighted that adoption is gaining momentum in Japan, Southeast Asia, Singapore, and Australia, driven by organizations like Atlassian in Australia seeking the enhanced security advantages over traditional authentication methods.
SEE: Understanding passkeys: Their significance and implementation
Leading tech companies are facilitating the broader adoption of passcodes. In 2024, Microsoft introduced user passcode availability on various services such as Bing, Microsoft 365, and Xbox.com, joining other global brands like Adobe, Amazon, Apple, Google, Hyatt, Nintendo, PayPal, PlayStation, Shopify, and TikTok.
As per the FIDO Alliance, which promotes open standards for passcodes, the usage of passcodes has expanded to cover 13 billion accounts as of July 2024.
Nevertheless, the adoption of passcode technology has been sluggish in Australia. While there was an expectation that the availability of passcodes would prompt the phasing out of passwords to combat phishing attacks, progress in Australia has been limited.
Government passcode adoption boosted by cybersecurity maturity
MyGov was among the early adopters of passcodes for digital government services worldwide. The move by MyGov, the central portal for government services in Australia, played a crucial role in raising awareness about passcodes. This initiative aligns with Australia’s Cyber Security Strategy 2023-2030.
The government reported a strong initial response, with 20,000 users setting up passcodes within a week.
Other agencies are still catching up. The requirement for phishing-resistant passwords at Maturity Level 2 of Australia’s Essential Eight cyber security framework, following updates in November 2023, aims to tackle the vulnerabilities associated with weaker multi-factor authentication methods susceptible to phishing and social engineering attacks.
However, the most recent Commonwealth Cyber Security Posture report in November 2023 revealed that only 25% of agencies met the Maturity Level 2 criteria, showing an improvement from 19% in 2022.
Schomburgk highlighted that the cybersecurity maturity levels in the public sector vary across federal government agencies, with federal entities leading the way. Local governments, which are usually smaller and more independent, tend to rely more on usernames and passwords without robust multi-factor authentication mechanisms.
Banking industry’s internal MFA drives consumer services
The banking sector in Australia has made significant strides in cybersecurity measures, but it has yet to transition to passcodes for customer authentication on a large scale. Currently, the sector predominantly utilizes One Time Passcodes, a form of multi-factor authentication that, while stronger than passwords alone, remains vulnerable to phishing attacks.
Ubank, a digital bank, stands out as an exception, having introduced passcodes in August 2024. Citing the substantial losses Australians suffered due to scams in 2023, Ubank stated that passcodes would heighten security by making it “more challenging for criminals to gain unauthorized access using stolen login credentials.”
SEE: The advantages of passwordless authentication
Schomburgk mentioned that banks have been proactive in implementing some form of internal multi-factor authentication for their employees. Yet, there is a growing recognition that multi-factor authentication must be resistant to phishing to achieve a higher level of security maturity. Yubico is collaborating with major Australian banks on the next steps in this regard.
Challenges in embracing and executing passkeys
Various hurdles need to be overcome by governmental bodies and financial institutions to integrate passkeys.
Perception of intricacy and ease of use: The viewpoint that passkeys and physical security devices such as YubiKeys are more intricate and less straightforward compared to traditional authentication methods.
Managing change: Implementing passkeys requires IT and security leaders to adjust to organizational transformations, often facing pushback from employees.
User training and consciousness: Educating users about the advantages and simplicity of using passkeys is crucial, emphasizing their enhanced security and ease of use compared to older authentication techniques.
Integration with outdated systems: In the banking sector, integrating passkey compatibility into existing online platforms and applications might be seen as a technical obstacle, especially since many have been developed independently.
Client experience: Financial institutions are extremely attentive to client experience, sometimes hesitant to introduce new authentication requirements when customers are comfortable with current procedures.
Efficient strategies to implement passkeys
Schomburgk suggested that organizations rolling out passkeys should:
Avoid being discouraged by perceived obstacles
Schomburgk pointed out that the perceived obstacles to passkey implementation are often more significant than the actual technical difficulties. He advised organizations not to hold back or worry about potential problems but to initiate the process. Solutions to technical challenges will manifest as they progress.
Emphasize the advantages
The benefits of passkeys – such as enhanced security and ease of use for both employees and customers – generally outweigh the perceived obstacles. Schomburgk maintains that once organizations start incorporating passkeys, they will realize that the benefits can hasten adoption.
Give priority to education and awareness
Educating both IT personnel and end-users on the superiority of passkeys over outdated authentication methods is vital. Consistent communication and education, both internally and externally, will contribute to wider adoption over time.
Commence with small steps and build momentum
Getting accustomed to the technology and its benefits can lead to broader acceptance. As entities like MyGov persist in promoting passkeys and the utilization of passkeys or hardware-bound authenticators like YubiKeys increases in corporations, early adopters are likely to motivate other users to embrace passkeys.
About Author
