Australia and New Zealand (ANZ) are rapidly investing in and strengthening their nationwide cyber security postures, and credit is due when great success stories emerge, especially in a world of weekly cyber security horror stories.
In the past twelve months, we’ve seen unprecedented leadership across the cybersecurity ecosystem from the unlikeliest of early movers: governments, airlines, financial industry bodies, and large enterprises.
The critical steps taken in ANZ to enhance its cybersecurity postures help protect against increasingly sophisticated cyber threats. Bolstering public trust in digital services and positioning both countries as global leaders in cybersecurity, enhancing national resilience to future threats and ensuring a safer and more secure digital environment.
New standards
Australia has released Essential Eight and, more recently, FSC Standard No. 29, released on March 13, 2024. New Zealand followed with the Digital Identity Services Trust Framework Act 2023. In the article, we explore where passkeys fit into Australia's and New Zealand's growing MFA requirements and highlight real-world deployments that have shown that suggest that passkeys are ready for wide-scale adoption.
FSC Standard No. 29
FSC Standard No. 29 outlines comprehensive measures for superannuation funds to protect their customers from scams and fraudulent activities. The standard, effective from July 1, 2024, on a voluntary basis and mandatory from July 1, 2026, covers the following key areas:
- Mandatory Multi-Factor Authentication (MFA): The updated standard requires all superannuation funds to implement multi-factor authentication (MFA) for accessing critical systems and consumer web portals, enhancing security and reducing the risk of unauthorized access.
- Creation of Mitigation Policies: Superannuation funds must establish and implement policies specifically targeting the prevention, detection, and resolution of fraud and scam incidents.
- High-Risk Transactions: Special attention is given to high-risk transactions requiring robust authentication processes.
- Customer Communication: Funds must ensure transparent communication with customers about their fraud and scam mitigation measures and the importance of these protections.
Read more about FSC Standard No. 29
The Essential Eight Framework
The Essential Eight Framework, developed by the Australian Cyber Security Centre (ACSC), provides key mitigation strategies to protect users and mitigate cyber security threats. From November 2023, highlights key measures for evolving threats, especially for consumer-facing applications. The framework is made up of maturity levels ranging from Level 0 (not implemented) to Level 3 (fully implemented).
- Enhanced MFA Standards at Maturity Level One: Previously unspecified, Maturity Level One now requires MFA to include both "something users have" and "something users know," replacing weaker forms like security questions or 'Trusted Signals.'
- Mandatory MFA for Sensitive Data Portals: MFA is now required for web portals storing sensitive customer data across all maturity levels, eliminating the option to opt out in favor of weaker password authentication.
- Phishing-Resistant MFA Options: Lower maturity levels now offer phishing-resistant MFA, with higher levels mandating it to counteract attacks on weaker MFA methods.
- Increased Focus on Phishing-Resistant MFA in Maturity Level Two: Maturity Level Two requires phishing-resistant MFA, aligning with standards like FIDO2/WebAuthn to address vulnerabilities to phishing and social engineering.
- Phishing-Resistant MFA for Workstations: Maturity Levels Two and Three now require workstation authentication using phishing-resistant MFA methods, such as smart cards and security keys, to enhance workplace security.
See the table below to better understand MFA requirements:
These updates underscore the shift towards stronger phishing-resistant MFA implementation to combat evolving cybersecurity threats.
Read more about the Essential Eight Framework
Digital Identity Services Trust Framework Act 2023
The Digital Identity Services Trust Framework Act 2023 is a legislative act passed in New Zealand to create a structured and secure framework for digital identity services. This act was introduced to Parliament in September 2021, passed its final reading in March 2023, received Royal Assent in April 2023, and will come into force on July 1, 2024.
- Identification Management: Rules within the act define how users are to be identified and authenticated, ensuring that the methods used for identification and authentication are secure and reliable.
Read more about Digital Identity Services Trust Framework Act 2023
Unlikeliest of early movers:
myGov's recent adoption of passkeys
On July 4, 2024, myGov introduced passkeys, becoming one of the first digital government services in the world to do so. This implementation made passkeys accessible to over 26 million myGov accounts. The introduction of passkeys aligns with the government's goals to modernize digital identity verification and enhance the user experience.
Air New Zealand's recent adoption of passkeys
Air New Zealand, an award-winning airline known for its world-class hospitality, now delivers robust account security. Central to this is their move to passwordless authentication using passkeys, which offer faster, easier, and more secure sign-ins.
Collectively, myGov and Air New Zealand have made passkeys available to close to 30 million people across Australia and New Zealand. Justin Soong, CEO at Authsignal, says, “Passkeys have now become mainstream, and there are now no blockers in the way of widespread adoption.”
What are passkeys, and how do they help?
Based on FIDO standards, passkeys are a replacement for passwords that provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices. Unlike passwords, passkeys are always strong and phishing-resistant.
Passkeys simplify account registration for apps and websites, are easy to use, work across most of a user’s devices, and even work on other devices within physical proximity.
According to the FIDO Alliance, there are over 13 billion accounts worldwide that can use passkeys for sign-in, including those of major global consumer brands like Adobe, Amazon, Apple, Google, Hyatt, Nintendo, PayPal, Playstation, Shopify, and TikTok. Major tech giants like Apple, Google, and Microsoft have integrated passkey support into their operating systems, ensuring native compatibility across almost all modern smartphones and computers. This broad integration has made passkeys accessible to billions of users globally
Source: https://fidoalliance.org/content-ebook-consumer-password-and-passkey-trends-wpd-2024/
Modernize your consumer authentication experiences by Implementing passkeys
Consider Authsignal, a plug-and-play identity and authentication platform that allows Australian and New Zealand enterprises, such as Air New Zealand, to integrate advanced security measures like MFA and passkeys.
- Rapid Integration: Authsignal's solution can be integrated quickly into any existing identity stack via a single API or OpenID Connect (OIDC), allowing superannuation funds to implement MFA without extensive development work.
- Flexible and Risk-Based Authentication: Authsignal provides a flexible MFA service that adapts to various risk levels, ensuring that superannuation funds can apply appropriate security measures based on transaction risk.
- Diverse Multi-Factor Authentication support: Authsignal supports many use cases by offering SMS OTP, Whatsapp OTP, passkeys, passwordless authentication, biometric authentication, and more. This provides superannuation funds with various options to secure their customers' accounts.
- Enhanced Customer Experience: Authsignal's MFA solutions are created to align with FIDO2 standards, minimizing customer friction, enhancing customer experience, and elevating high-security standards, thereby boosting overall customer satisfaction and trust.
Built to integrate with any identity stack through a single API or OpenID Connect (OIDC). Our system works with various identity platforms/stacks, including AWS Cognito, Auth0, Azure B2C, Duende IdentityServer, ForgeRock, etc.
