Passcodes offer a phishing-resistant mode of authentication. Backed by tech giants Microsoft, Apple and Google, Passcodes use encrypted credentials stored on a digital or hardware device to replace passwords and weaker multi-factor authentication methods – prime vectors for cyberattacks.
Despite their growth in the APAC region, passcode adoption has been relatively slow in Australia. In the public sector, MyGov recently introduced the use of passcodes for its online services. In the banking sector, one-time passcode, or OTP multi-factor authentication, remains the de facto authentication method in the Australian market.
Geoff Schomburgk, vice president for Asia Pacific and Japan at Yubico, which offers hardware-bound passcodes, said barriers to adoption include low levels of cybersecurity maturity in the public sector, a concern about customer experience in the banking sector and unjustified perceptions that passcode implementations are technically complex.
Passkey Technology and YubiKey Product Experience Growth in APAC
Yubico’s business took off when it worked with Google to integrate public-key cryptography into YubiKeys and develop a new authentication protocol. When Google decided to distribute YubiKeys to all its employees, other global tech companies followed suit, including Amazon, Facebook, Uber, and Microsoft.
“Virtually every global technology company is using them at scale in their business,” Schomburgk said.
In the APAC region, global outsourcing is driving YubiKeys adoption in India and the Philippines. Adoption in Japan, Southeast Asia, Singapore and Australia is “accelerating,” Schomburgk said, as organizations like Australia’s Atlassian seek the enhanced security benefits over traditional authentication methods.
SEE: The what, how and why of access keys
Big tech companies have enabled the broadest adoption of Passcodes. In 2024, Microsoft launched Passcodes for users on services like Bing, Microsoft 365, and Xbox.com, joining global brands like Adobe, Amazon, Apple, Google, Hyatt, Nintendo, PayPal, PlayStation, Shopify, and TikTok.
According to the FIDO Alliance, the open industry alliance that creates and promotes open standards for passwords, the reach of passwords had expanded to cover 13 billion accounts by July 2024.
However, the use of passcode technology has not increased in Australia. It is hoped that the technical availability of passcodes will lead to earlier implementation and replacement of passwords to stem the phishing epidemic, but so far progress in Australia has been slow.
Government key adoption is driven by cybersecurity maturity
MyGov was one of the first digital government services in the world to implement a passcode option for users. As the central portal for government services in Australia, the move was a critical step in raising awareness about passcodes. The move is also in line with Australia’s Cybersecurity Strategy 2023-2030.
The government said it was off to a very good start, with 20,000 passwords set up in a week.
Other agencies have work to do. Phishing-resistant passwords are now mandatory at Maturity Level 2 of Australia’s Essential Eight cybersecurity framework, following updates in November 2023 to combat weaker MFA implementations that are susceptible to real-time phishing or social engineering attacks.
But the most recent Commonwealth Cyber Security Posture report, from November 2023, found that only 25% of agencies were at Maturity Level 2, although this was an improvement from just 19% in 2022.
Schomburgk explained that cybersecurity maturity in the public sector varies across all three levels of government, with federal government agencies leading the way. Local governments, which tend to be smaller and autonomous, rely more heavily on usernames and passwords without stronger MFA.
The banking sector's internal MFA leads the consumer offering
The Australian banking industry has made progress in its cybersecurity efforts, but has not yet made the collective leap to passwords for customer authentication. The industry still relies on one-time passcodes, a form of multi-factor authentication that, while more effective than passwords alone, remains vulnerable to phishing.
One notable exception is digital bank Ubank, which launched passcodes in August 2024. The bank cited the $2.7 billion Australians lost to scams in 2023 as the reason for its decision and said passcodes would make it “harder for criminals to access accounts using stolen usernames and passwords”.
SEE: 5 benefits of passwordless authentication
Schomburgk said banks are generally well advanced in implementing some form of internal multi-factor authentication for their staff. However, there is also a growing awareness that multi-factor authentication needs to be phishing-resistant to achieve a higher level of security maturity. Yubico is working on next steps with some of Australia’s leading banks.
Barriers to the adoption and implementation of access keys
Government agencies and banks must overcome some barriers to implementing passcodes.
Perceived complexity and convenience: The perception that passcodes and physical security keys like YubiKeys are more complex and less convenient compared to traditional authentication methods.
Change management: IT and security leaders implementing passcodes must adapt to organizational change, which often results in employee resistance.
User education and awareness: Users need to be educated about the benefits and convenience of passwords, including that they are more secure and convenient than traditional authentication methods.
Integration with legacy systems: In the banking sector, integrating password support into existing online platforms and applications can seem technically challenging, as many of them have been developed independently.
Customer Experience: Banks are highly sensitive to customer experience and are reluctant to implement new authentication requirements when customers are happy with existing processes.
How to implement access keys effectively
Schomburgk said organizations introducing passwords should:
Don't be intimidated by perceived barriers
According to Schomburgk, the perceived barriers to implementing passcodes are often greater than the actual technical challenges. He encouraged organizations not to sit back and worry about potential problems. Instead, they should “get on the journey” and the technical solutions will become apparent.
Focus on the benefits
The benefits of passcodes—including improved security and convenience for employees and customers—often outweigh the perceived barriers. Schomburgk argues that once organizations begin implementing passcodes, they will find that the benefits can accelerate their adoption.
Prioritize education and awareness
It is important to educate both IT staff and end users about the benefits of passcodes compared to traditional authentication methods. Ongoing communication and education, both internally and with the general public, will help drive broader adoption over time.
Start small and build momentum
Familiarity with the technology and its benefits can lead to more widespread adoption. As organizations like MyGov continue to promote access keys and the use of access keys or hardware-linked authenticators like YubiKeys grows in enterprises, early adopters are likely to encourage other users to adopt access keys.
