myGov takes a stand on passwords

What myGov’s move to passwordless authentication means for public sector organisations.

The Australian Government recently announced that its myGov portal, which allows citizens to access government services online in one place, is transitioning to passwordless authentication to enhance the security of government services online. This represents a significant change for all public sector organisations and government departments that will require phishing-resistant multi-factor authentication (MFA) options like passkeys to sign into myGov going forward.

The adoption of this technology by myGov is driven by the need to counteract the high incidence of scams and phishing attacks targeting myGov. Last year, between January and August alone, more than 4,500 individual myGov phishing scams were identified, which contributed to thousands of myGov accounts being suspended due to suspected fraud activities.

The myGov portal, a crucial gateway for accessing various government services, has over 15 million unique users. The integration of passkeys technology into myGov is likely to drive rapid uptake due to its enhanced security and ease of use. Unfortunately, major breaches for Optus, Medibank and others resulted in a large number of customer credentials becoming available on the dark web, and so a more secure authentication method is clearly needed. With the introduction of passkeys, this technology can reduce the risk of large-scale data breaches and identity theft, as identity credentials will no longer be stored on a central server.

Driving the adoption of phishing-resistant MFA and passkeys

The new authentication system allows for the use of passkey technology, which uses private encrypted keys on mobile devices, computers and hardware security keys. Passkeys seamlessly authenticate users by using cryptographic security keys stored on their computer or device. They are a superior alternative to passwords since users are not required to recall or manually enter long sequences of characters that can be forgotten, stolen or intercepted. Device-bound passkeys like security keys provide the highest protection against phishing attacks because they require something you know (a PIN password) and something you have (a security key), a deliberate user action to insert into the device and physically touch it to access accounts.

Over 80 international websites, including major platforms like Google, Amazon, Air New Zealand, PayPal, Uber, TikTok and Shopify have already embraced passkey technology. myGov’s move to this standard is expected to spur similar adoption by Australian private sector sites, particularly in sectors like banking and telecommunications.

The Australian Government is taking a bold stance by prioritising phishing-resistant MFA and significantly raising the security bar for the country and its citizens. Following these announcements, we can expect more aggressive moves in the coming months led by the government for all public sector online services to adopt passkeys as phishing-resistant MFA.

This transition marks a significant shift in how government agencies and businesses handle digital security. The move is being closely watched and may influence the digital security strategies of Australian state government service portals and private sector organisations.

A new government cybersecurity strategy

In addition, the Australian Government also released its Australian Cyber Security Strategy 2023–2030 last November, which will impact government, critical infrastructure, citizens and public servants working in the departments tied to myGov, and citizens accessing government services online.

Updates to the Essential Eight

Around the same time as the cybersecurity strategy announcement, the Australian Government updated the Maturity Model for the Essential Eight, in which MFA is among the eight mitigation strategies.

The updated Essential Eight framework includes MFA requirements, which have been bolstered to require phishing-resistant MFA by organisations at a lower maturity level. Previously required at Maturity Level Three, these revisions have amplified the use of phishing-resistant MFA such as passkeys, applying them to Maturity Level 2 and not just Maturity Level 3 (ML3). This framework, supported by the recently released Cyber Security Strategy, should be the guide for all public sector organisations to use to assess their cyber posture.

Conclusion

This strategic move aligns with the Australian Government’s broader cybersecurity efforts, and these initiatives reflect a comprehensive approach to strengthening the nation's cyber defence mechanisms, ensuring that both government and critical infrastructure are equipped to handle the evolving cyberthreat landscape.

For public sector organisations, the transition to passwordless authentication via passkeys presents an opportunity to enhance their cybersecurity posture significantly. It necessitates a re-evaluation of current security measures and an acceleration in the adoption of phishing-resistant MFA technologies. This shift will likely influence digital security strategies within government agencies and the private sector as organisations aim to meet the new security benchmarks set by the government.

myGov’s move to passwordless authentication through the adoption of passkeys is a clear indication of the Australian Government's commitment to safeguarding its digital services against the increasing threat of cyber attacks. It marks a new era of digital security, where MFA becomes the standard, offering a more secure, efficient and user-friendly way for Australians to access government services online. This move is expected to significantly transform how public sector organisations and the wider Australian market approach cybersecurity, setting a precedent for others to realise a more secure digital future.

Geoff Schomburgk is responsible for driving the Yubico business across the Asia Pacific and Japan (APJ) region, working with partners and enterprise customers to implement modern phishing-resistant authentication. He is an experienced senior executive with a background in engineering and strategy consulting and over 30 years’ experience in the global ICT industry. Geoff has a Bachelor of Engineering (Honours) and MBA and is also a qualified Company Director (FAICD).

Top image credit: iStock.com/ArtemisDiana