Get free passkey whitepaper for Australian organizations
Introduction: myGov and Passkeys
The Australian government's myGov portal, a critical access point for services like Centrelink, the Australian Tax Office, and Medicare, has recently integrated passkeys to enhance cybersecurity. Given the rising threat of cyberattacks, as evidenced by significant breaches affecting millions of Australians, this move aims to fortify user authentication against phishing and other malicious activities.
Key Findings from myGov Passkeys Implementation
- Lack of Upsell to Passkeys Post-Login: Users logging in with passwords and SMS OTPs are not prompted to switch to passkeys, missing an opportunity to enhance security with more robust authentication methods.
- Persistence of SMS OTP as Primary MFA Method: Despite the presence of passkeys, myGov continues to rely heavily on SMS OTP for multi-factor authentication, which remains vulnerable to phishing attacks.
- Email and Mobile Verification During Account Creation: While best practices are followed in verifying email addresses and mobile numbers during account creation, the process could further streamline by integrating passkeys from the outset.
- Passkey Button Placement: The passkey login button's placement below the fold on the login page likely reduces its usage and visibility, contributing to lower adoption rates.
- Technical Implementation Strengths: The WebAuthn server settings and ceremony flags in myGov's PublicKeyCredentialCreationOptions and PublicKeyCredentialRequestOptions are correctly implemented, ensuring a solid technical foundation for passkeys.
- Effective Error Handling in Safari Clamshell Mode: Proper error handling is in place for Safari's clamshell mode, maintaining security standards across different user environments.
Strategic Advantages of Passkeys for myGov
- Leadership in Digital Security: By adopting passkeys, myGov sets a precedent for other public and private organizations in Australia, showcasing a commitment to advanced cybersecurity measures.
- Compliance with Essential Eight Framework: The implementation aligns with Australia's cybersecurity legislation, particularly the Essential Eight framework, which prioritizes phishing-resistant MFA methods.
- Cost Savings: Reducing reliance on SMS OTPs could save myGov millions annually and streamline user authentication processes.
Recommendations for Enhancing myGov Passkey Adoption
- Promote Passkeys During Sign-Up: Introducing passkeys as an option during the sign-up process can significantly boost user adoption. Educating users about the benefits and ease of passkeys can facilitate this transition.
- Default to Passkeys for MFA: Replacing SMS OTP with passkeys as the default MFA method can enhance security and user experience, provided the system intelligently determines the availability of passkeys on the user's device.
- Adopt an Identifier-First Approach: Shifting from a separate passkey login button to an identifier-first approach can streamline the login process, making passkey usage more intuitive and likely.
- Implement Conditional UI: Introducing Conditional UI for both web and native apps can further simplify passkey authentication, encouraging higher adoption rates and reducing friction in the login process.
Conclusion
myGov's implementation of passkeys marks a great step towards improving cybersecurity for Australian government services. While the technical execution is strong, enhancements in user experience and proactive promotion of passkeys can drive higher adoption rates. By refining these aspects, myGov not only secures its platform but also sets a benchmark for other organizations in adopting advanced authentication methods.
For a detailed analysis and recommendations, please see our blog post here.
Top comments (1)
😎