Australia and New Zealand advances passkeys cybersecurity

Share

Australia and New Zealand (ANZ) are rapidly investing in and strengthening their nationwide cybersecurity postures, and credit is due when great success stories emerge, especially in a world of weekly cybersecurity horror stories.

In the past twelve months, we’ve seen unprecedented leadership across the cybersecurity ecosystem from the unlikeliest of early movers: governments, airlines, financial industry bodies, and large enterprises.

The critical steps taken by ANZ to enhance its cybersecurity postures help protect against increasingly sophisticated cyber threats. Bolstering public trust in digital services and positioning both countries as global leaders in cybersecurity, enhancing national resilience to future threats, and ensuring a safer and more secure digital environment.

New standards

Australia has released Essential Eight and, more recently, FSC Standard No. 29, released on 13 March, 2024. New Zealand followed with the Digital Identity Services Trust Framework Act 2023. In the article, we explore where passkeys fit into Australia’s and New Zealand’s growing MFA requirements and highlight real-world deployments that have shown that passkeys are ready for wide-scale adoption.

FSC standard no. 29

FSC Standard No. 29 outlines comprehensive measures for superannuation funds to protect their customers from scams and fraudulent activities. The standard, effective from 1 July 2024 on a voluntary basis and mandatory from 1 July 2026, covers the following key areas:

  • Mandatory Multi-Factor Authentication (MFA): The updated standard requires all superannuation funds to implement multi-factor authentication (MFA) for accessing critical systems and consumer web portals, enhancing security and reducing the risk of unauthorised access.
  • Creation of Mitigation Policies: Superannuation funds must establish and implement policies specifically targeting the prevention, detection, and resolution of fraud and scam incidents.
  • High-Risk Transactions: Special attention is given to high-risk transactions requiring robust authentication processes.
  • Customer Communication: Funds must ensure transparent communication with customers about their fraud and scam mitigation measures and the importance of these protections.

The essential eight framework

The Essential Eight Framework, developed by the Australian Cyber Security Centre (ACSC), provides key mitigation strategies to protect users and mitigate cybersecurity threats. From November 2023, highlight key measures for evolving threats, especially for consumer-facing applications. The framework is made up of maturity levels ranging from Level 0 (not implemented) to Level 3 (fully implemented).

  • Enhanced MFA Standards at Maturity Level One: Previously unspecified, Maturity Level One now requires MFA to include both “something users have” and “something users know,” replacing weaker forms like security questions or ‘Trusted Signals.’
  • Mandatory MFA for Sensitive Data Portals: MFA is now required for web portals storing sensitive customer data across all maturity levels, eliminating the option to opt out in favour of weaker password authentication.
  • Phishing-Resistant MFA Options: Lower maturity levels now offer phishing-resistant MFA, with higher levels mandating it to counteract attacks on weaker MFA methods.
  • Increased Focus on Phishing-Resistant MFA in Maturity Level Two: Maturity Level Two requires phishing-resistant MFA, aligning with standards like FIDO2/WebAuthn to address vulnerabilities to phishing and social engineering.
  • Phishing-Resistant MFA for Workstations: Maturity Levels Two and Three now require workstation authentication using phishing-resistant MFA methods, such as smart cards and security keys, to enhance workplace security.

These updates underscore the shift towards stronger phishing-resistant MFA implementation to combat evolving cybersecurity threats.

Digital identity services trust framework act 2023

The Digital Identity Services Trust Framework Act 2023 is a legislative act passed in New Zealand to create a structured and secure framework for digital identity services. This act was introduced to Parliament in September 2021, passed its final reading in March 2023, received Royal Assent in April 2023, and will come into force on 1 July, 2024.

  • Identification Management: Rules within the act define how users are to be identified and authenticated, ensuring that the methods used for identification and authentication are secure and reliable.

Air New Zealand’s recent adoption of passkeys

Air New Zealand, an award-winning airline known for its world-class hospitality, now delivers robust account security. Central to this is their move to passwordless authentication using passkeys, which offer faster, easier, and more secure sign-ins.

Collectively, myGov and Air New Zealand have made passkeys available to close to 30 million people across Australia and New Zealand. Justin Soong, CEO at Authsignal, says, “Passkeys have now become mainstream, and there are now no blockers in the way of widespread adoption.”

What are passkeys, and how do they help?

Based on FIDO standards, passkeys are a replacement for passwords that provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices. Unlike passwords, passkeys are always strong and phishing-resistant.

Passkeys simplify account registration for apps and websites, are easy to use, work across most of a user’s devices, and even work on other devices within physical proximity.

According to the FIDO Alliance, there are over 13 billion accounts worldwide that can use passkeys for sign-in, including those of major global consumer brands like Adobe, Amazon, Apple, Google, Hyatt, Nintendo, PayPal, Playstation, Shopify, and TikTok. Major tech giants like Apple, Google, and Microsoft have integrated passkey support into their operating systems, ensuring native compatibility across almost all modern smartphones and computers. This broad integration has made passkeys accessible to billions of users globally.