Every significant data breach investigation tells the same story somewhere in its timeline: a compromised credential. A phished password, a reused passphrase, a brute-forced account. Despite decades of password complexity rules, rotation policies, and multi-factor authentication bolt-ons, the humble password remains the most reliable entry point for adversaries targeting Australian organisations. In 2026, that is no longer an architectural inevitability — it is a choice, and increasingly, an unjustifiable one.
The convergence of mature passkey technology, updated international standards, tightened APRA expectations, and AI-driven adaptive access control means that organisations which continue to rely on password-based authentication are accepting unnecessary risk. This article explains what the transition to passwordless actually means in practice, how to approach a staged migration, and where governance and compliance obligations fit into the picture.
Why Passwords Keep Failing
Passwords are a shared secret: the user knows it, and so does the server. That sharing arrangement creates cascading attack surfaces. Credentials can be phished, intercepted in transit, exposed in third-party breaches, cracked offline if a hash database is stolen, or simply reused across dozens of services. Traditional MFA — particularly SMS one-time passwords and email codes — reduces risk but does not eliminate the phishing problem, because an attacker can relay a real-time OTP just as easily as a password.
NIST SP 800-63B Revision 4, published in July 2025, formalises what the security industry has long understood: SMS-based authentication and email OTP are no longer considered adequate for higher-assurance access. The updated guidance deprecates these methods at Authenticator Assurance Levels 2 and 3, and positions cryptographic, phishing-resistant credentials — specifically FIDO2 passkeys and hardware security keys — as the standard for sensitive access.
For Australian organisations, the regulatory signal is equally unambiguous. APRA's 2025 guidance on critical authentication controls requires regulated entities to implement MFA or equivalent controls for all high-risk member activities and all privileged system access, with a compliance deadline of 31 August 2025. Critically, APRA has signalled that its long-term expectation extends to zero trust principles, including continuous verification — a posture that password-based authentication cannot support.
What Passwordless Authentication Actually Means
Passwordless authentication eliminates the shared secret entirely. Instead of transmitting something the user knows, the system relies on something the user has (a device holding a private cryptographic key) and something the user is (biometric verification to unlock that key). No password ever leaves the device, and no password is stored on the server — only a public key that is mathematically useless without its corresponding private key.
Passkeys and FIDO2/WebAuthn
Passkeys are the consumer and enterprise-friendly implementation of FIDO2, the authentication standard maintained by the FIDO Alliance and built on the W3C WebAuthn specification. When a user registers a passkey, a unique cryptographic key pair is generated on-device. The private key never leaves the secure enclave of the user's device; the public key is registered with the service. At login, the service sends a cryptographic challenge; the device signs it with the private key, and the service verifies the signature with the stored public key. There is nothing to phish, intercept, or replay.
Adoption has accelerated sharply. The FIDO Alliance's Passkey Index reports that approximately 5 billion passkeys are now in use globally, with 75 per cent of people having enabled a passkey on at least one account and 26 per cent of all sign-ins across supported services now leveraging passkeys. On the enterprise side, 87 per cent of organisations have either deployed or are actively deploying passkeys for workforce authentication — up 14 percentage points since 2022. Passkeys also reduce sign-in time by approximately 73 per cent compared to traditional methods, and organisations have reported an 81 per cent reduction in login-related help desk incidents following deployment.
Two passkey variants are relevant for enterprise planning:
- Synced passkeys — stored in a platform credential manager (iCloud Keychain, Google Password Manager) and synchronised across a user's devices. Suited to broad workforce rollout where device diversity is high.
- Device-bound passkeys — tied to a single hardware authenticator (FIDO2 security key or a managed device's secure enclave). Suited to privileged access, high-assurance roles, or environments where synced credentials carry unacceptable risk.
Gartner's analysis is aligned: by the end of 2026, passwordless authentication is expected to be the default for workforce access across many enterprises, with FIDO2 and passkeys positioned as the leading credential type for phishing-resistant enterprise authentication.
Phishing-Resistant MFA as an Interim Bridge
For systems where full passkey integration is not yet feasible, hardware security keys (FIDO2/U2F) provide phishing-resistant MFA without requiring a full credential replacement. Unlike app-based TOTP or push notifications, hardware keys cryptographically bind the authentication to the origin domain — meaning an attacker cannot harvest and relay a credential from a lookalike site. This makes hardware keys a strong transitional control for privileged users and high-risk access scenarios while broader passwordless infrastructure matures.
Identity at the Core of Zero Trust
Zero Trust architecture rests on a foundational premise: trust is never implicit, always earned, and continuously re-evaluated. In a password-based world, the single login event is the primary identity assertion — once authenticated, users often retain broad access for the duration of their session. Zero Trust inverts this model.
Passwordless authentication is not just a credential upgrade; it is the foundation on which continuous, risk-based verification becomes technically viable. With a cryptographic identity established at login, organisations can layer contextual signals — device health, location, behaviour patterns, time of access, data sensitivity — to make dynamic access decisions throughout a session rather than at its start.
This matters particularly for privileged access. Privileged Access Management (PAM) in a Zero Trust model does not simply gate initial access behind strong MFA; it enforces just-in-time privilege elevation, session recording, and continuous re-verification before high-risk operations. A finance director who authenticates via passkey at 9am in Sydney and then attempts to initiate a large wire transfer at 3am from an unrecognised network should face a re-challenge — not silent approval.
AI-Driven Adaptive Access Control
The integration of machine learning into identity and access management introduces capabilities that static policy cannot replicate. AI-driven adaptive access control systems ingest continuous signals — login telemetry, device posture, behavioural biometrics, threat intelligence feeds — and produce real-time risk scores that modify access decisions without human intervention.
In practice, this means:
- A user authenticating from a known, compliant device on a corporate network receives seamless access.
- The same user connecting from a new country triggers step-up authentication.
- An account exhibiting rapid lateral movement or unusual data export behaviour has access suspended automatically, pending review.
- Privileged sessions with anomalous command patterns are flagged for real-time analyst attention.
This adaptive layer significantly raises the cost and complexity of attack. Even if an adversary obtains a valid session token, sustained anomalous behaviour will generate an alert or trigger re-authentication before sensitive data can be exfiltrated.
Governance Risks of AI-Driven Access
The same AI capabilities that improve detection introduce governance obligations that many organisations have not yet addressed. When an algorithm denies access or suspends an account, who is accountable? How is the decision audited? Can the user appeal, and on what timeline? These questions are not hypothetical — they are increasingly relevant under Australian Privacy Act obligations and, for regulated entities, under APRA's expectations for robust and auditable control frameworks.
Organisations adopting AI-driven IAM should ensure that access decisions are logged with sufficient granularity to support audit, that explainability requirements are defined in advance (especially for privileged access denials), and that human-in-the-loop escalation paths exist for automated decisions that affect employees or customers. AI augments the identity control plane; it does not replace governance accountability.
Essential Eight Alignment
The Australian Signals Directorate's Essential Eight Maturity Model addresses MFA requirements at each maturity level. At Maturity Level 2, phishing-resistant MFA is required for internet-facing services and privileged access. At Maturity Level 3, phishing-resistant MFA is required across all user access. Passkeys and FIDO2 hardware keys satisfy the phishing-resistant requirement at all maturity levels; traditional TOTP and SMS OTP do not.
Organisations targeting Maturity Level 2 or above should treat their passwordless migration roadmap as directly aligned with Essential Eight uplift — and should plan to demonstrate phishing-resistant credential coverage in their next assessment.
A Staged Migration Roadmap
A complete passwordless migration does not happen overnight. Legacy applications, workforce habits, and recovery mechanisms all require careful management. The following phased approach has proven effective for organisations of varying maturity.
Phase 1: Pilot — High-Risk and Willing Users (Months 1–3)
Begin with a controlled pilot targeting IT and security teams, privileged users, and early adopters. Deploy FIDO2 hardware keys or platform passkeys for primary authentication to a defined set of modern, FIDO2-compatible systems. Capture detailed feedback on UX, device compatibility, and recovery scenarios. Establish your help desk runbook for lost device and account recovery before the pilot concludes.
Phase 2: High-Risk User Expansion (Months 4–6)
Extend passwordless authentication to all privileged accounts, executives, finance staff, and personnel with access to sensitive data or critical systems. These users represent the highest breach impact and are therefore the highest return-on-investment segment for phishing-resistant authentication. For legacy applications that cannot yet support FIDO2, implement hardware key-based MFA as a bridge control.
Phase 3: Broad Workforce Rollout (Months 7–12)
Deploy synced passkeys to the general workforce via managed identity providers (Microsoft Entra ID, Okta, Ping Identity, and similar platforms all support FIDO2 passkey registration at scale). Communicate the change as a UX improvement — faster, simpler sign-in — rather than a security mandate. Parallel-run passwords and passkeys during transition to reduce disruption.
Phase 4: Password Retirement and Continuous Improvement
Once passkey coverage reaches defined thresholds (typically 90–95 per cent of accounts), begin disabling password-based authentication for covered systems. Audit legacy application exceptions and establish remediation timelines. Layer AI-driven adaptive access on top of the established credential baseline, and integrate privileged access management with Zero Trust policy engines for continuous session verification.
Common Challenges and How to Address Them
Legacy Application Compatibility
Many enterprise applications — particularly older ERP, finance, and operational systems — do not support modern authentication protocols. Options include reverse-proxy authentication gateways that front legacy applications with FIDO2-capable login pages, password vaulting via a PAM solution for applications that cannot be modified, and prioritising legacy application modernisation on the technology roadmap.
Account Recovery Without a Password
The most common objection to passwordless is the recovery question: "What happens when someone loses their device?" The answer requires planning rather than avoiding passwordless. Acceptable recovery mechanisms include: a second registered authenticator (backup hardware key or trusted device), verified identity re-enrolment via IT service desk with identity proofing, and, for high-assurance accounts, in-person verification with a manager sign-off. Avoid SMS or email-based recovery paths, as these reintroduce the phishing vulnerability at the recovery layer.
User Experience and Change Management
Passkeys typically generate strong user satisfaction once deployed — the FIDO Alliance's data indicates an 81 per cent reduction in authentication-related help desk calls. The challenge is the transition itself. Invest in clear, role-specific communications, brief video walkthroughs, and accessible help resources. Frame the change as removing friction, not adding security theatre.
Key Takeaways
- Passwords are structurally broken. No password policy prevents phishing. Phishing-resistant, cryptographic authentication is the only effective remedy.
- FIDO2 passkeys are mature and enterprise-ready. Five billion passkeys are in global use; 87 per cent of enterprises are deploying them. The technology is proven and supported by all major platforms and identity providers.
- NIST SP 800-63B Revision 4 and APRA both mandate the direction of travel. SMS OTP is deprecated for higher-assurance access; phishing-resistant MFA is the baseline expectation for regulated Australian entities.
- Passwordless is the foundation of Zero Trust identity. Continuous, risk-based verification requires a cryptographic identity anchor — passwords cannot provide one.
- AI-driven adaptive access raises the cost of attack — and introduces governance obligations. Adopt AI access control with explainability, auditability, and human escalation paths built in from day one.
- Stage your migration. Prioritise privileged users and high-risk access scenarios first. Use hardware security keys as a bridge for legacy environments. Retire passwords systematically, not precipitously.
- Essential Eight alignment is direct. Phishing-resistant MFA at Maturity Levels 2 and 3 maps precisely to FIDO2 passkeys and hardware keys — not TOTP or SMS OTP.
Identity is the new perimeter. Organisations that secure it with cryptographic, phishing-resistant credentials — and govern AI-driven access decisions with rigour — will be materially better positioned against the credential-based attacks that dominate today's threat landscape. Those that delay will face an increasingly difficult compliance conversation with APRA, the ASD, and their own boards.
CyberCorp works with Australian organisations to design and implement passwordless IAM programs that align with Essential Eight, APRA CPS 234, and Zero Trust architecture principles. To discuss your identity security roadmap, Schedule a GRC Assessment or learn more about our security strategy & governance services.
