The Australian government announced in 2023 that it would phase out the use of passwords to access key government digital services platform myGov. In the first half of 2024, Australians may be asked to adopt passcodes, which use individual biometric data to authenticate users.
The push for the myGov passcode among the Australian population will pave the way for IT leaders to adopt this more secure form of authentication in the private sector as public awareness and education increases. This could minimize the risk of phishing and elevate the cybersecurity of Australian businesses.
Passwords to protect myGov users from escalating scams
The Australian Government said passcodes will be rolled out to myGov users during the first half of 2024. This marks a substantial step towards adoption of passcodes in the Australian market, as there are approximately 26 million active accounts for the entire government. digital platform and 3.3 million application users. The service is accessed 782,000 times a day.
Why are passcodes being implemented for critical government services?
The Australian government has been concerned about the security protection that passwords offer. As it looks to build national defenses as part of the Australian Cyber Security Strategy 2023-2030, adopting more secure technologies and educating Australians has become a priority.
SEE: Australia's security teams will need to stay ahead of cybersecurity trends.
Because passcodes use biometric data such as fingerprint scans or facial recognition, along with a cryptographic authentication key on a device to authenticate users, the Australian government hopes to prevent people from using passwords susceptible to phishing and, at the same time, provide a better digital experience.
The problem with passwords
Passwords have become an issue for Australian public and private sector organisations:
- There is evidence that many people still use simple passwords that cybercriminals can easily crack or recycle the same passwords across multiple services.
- Passwords are the target of the phishing industry, which often attempts to lure unsuspecting users into providing login credentials to allow cybercriminals to access systems.
- Passwords can easily be used by criminals if credential data becomes available through a leak or data breach, and are a popular item for sale on the dark web.
The Australian government said cybercriminals are using “scam-in-a-box” kits available online to create fake websites to launch phishing attacks against Australians with Centrelink, Australian Taxation Office and Medicare accounts. Scam-in-a-box kits allow cybercriminals to collect user IDs and passwords from large numbers of users, which can be sold on the dark web. Access keys would help eliminate this by eliminating passwords.
Password adoption is increasing and will increase at a pace
Major technology companies Apple, Google and Microsoft have led a growing push toward passcode adoption. They announced in 2022 that they were going to support passwordless logins, in line with global standards created and managed by authentication body FIDO Alliance.
SEE: Google adds passcode option to replace passwords in Gmail.
They have since been joined by Amazon and a variety of consumer brands, including Adobe, TikTok, Shopify and PayPal. Some IT teams have also been rolling out workforce passcodes, including those at Fox, Hyatt, Intuit and Target, according to the FIDO Alliance.
The 2023 Workforce Authentication Report released by the FIDO Alliance and password manager LastPass, which supports the shift to passcodes, indicates that many businesses already see the benefit of moving to passcodes. It found that 92% of global businesses believe passcodes will benefit their security posture, and 93% agree they will help reduce “shadow IT” applications.
Australian organizations have a big appetite for passcode adoption
The FIDO Alliance survey, which included 200 companies surveyed in Australia, found that 94% of Australian respondents have already migrated or plan to do so in the next two years to passwordless technology, ahead of the global average of 92%.
A higher proportion of Australian businesses (94%) also believed passcodes would benefit their security posture. The FIDO Alliance said it demonstrated Australia was “rapidly seeking to minimize reliance on legacy authentication methods in favor of easy-to-use, phishing-resistant logins”.
Challenges still exist for widespread adoption of passcodes
Most Australian organizations still use forms of phishing authentication, the FIDO Alliance said. This includes:
- One-time access codes sent to a phone or tablet (41%).
- Enter passwords manually (27%).
- Using multi-factor authentication (36%).
The survey acknowledged that a key challenge to adoption will be education, which will take time. IT leaders surveyed said they need education on how passwordless technology works and how to implement it, while 25% said users may resist change or using new technology.
SEE: Change management plays an important role in company culture.
While workforce adoption of passcodes is still in its infancy, the public sector's proactive implementation of passcodes for myGov could act as a strong catalyst for broader adoption as the government does the job of educating users and encouraging adoption of new technology.
What should IT professionals think about before entering passwords?
Passwords are likely to gain traction among Australian organizations, especially considering the risks of compromising passwords through phishing, which remains a key cybersecurity risk. Organizations will need to think through the issues before launching the technology.
Framing the adoption of new access key technologies
IT leaders must have a clear narrative about the purpose and functionality of access keys to ensure change management success. Aided by increased awareness of the impact of phishing scams in Australia and the potential positive impact of passcodes on user experience, a consistent story could facilitate easier introduction and adoption.
Educate workforce and customers about access codes
While the Australian Government will do a lot of legwork to educate the public about passcodes as part of the myGov launch to ensure they are adopted by a large number of users, businesses will still need to consider how they support education delivery and onboarding. so that the technology ensures a smooth implementation for your employees and customer bases.
Address business and technical challenges
Some technical effort will be required on the part of developers to add access keys to apps and websites, and businesses will need to prioritize updating authentication among other competing priorities. There has also been fragmentation in approaches, with a Google product manager saying that although the technology exists, the industry is still figuring out how to implement it.
