.png)
Australia's myGov portal, the digital gateway to essential government services, has taken a pioneering step in enhancing online security by implementing passkeys. This move comes in response to an alarming surge in cybercrime targeting government platforms.
Troubling statistics underscore the urgency of this security upgrade. Thousands of myGov accounts were suspended monthly due to suspected breaches, many attributed to sophisticated "scam-in-a-box" kits sold on the dark web. These kits, designed to create convincing fake websites and launch targeted phishing attacks, posed a significant threat to the 26 million active myGov accounts.
The Australian Tax Office reported a spike in impersonation scams, with numerous Australians falling victim to fraudulent emails and text messages purporting to offer tax refunds or requesting bank account confirmations. These scams often directed users to meticulously crafted fake myGov websites, highlighting the critical need for a more robust authentication system.
In response to these challenges, the Australian government has introduced passkeys and committed substantial resources to fortify myGov's defenses.
This article explores the intricacies of myGov's passkey implementation, exploring its technical aspects, user implications, and broader impact on Australia's digital government services landscape.
The scam problem
Statistics on scams targeting myGov
The scale of the scam problem facing myGov is staggering. In 2023, Australians lost $3.1 billion to scams, underscoring the financial devastation wrought by cybercriminals. MyGov, as a centralized portal for essential government services, became an attractive target for these malicious actors.
The Australian Tax Office (ATO) reported a significant increase in myGov-related scams. In August 2023, the ATO issued warnings about a surge in email and text message scams impersonating the office.
These scams often claimed that users were owed tax refunds or needed to confirm their bank account details, directing them to convincingly crafted fake myGov websites.
The financial impact of scams
The financial toll of these scams extends beyond individual losses. The government's decision to allocate $580.3 million over four years to maintain and develop myGov and an additional $50 million for improvements reflects the substantial resources required to combat this threat.
Furthermore, the commitment of $145 million in annual ongoing funding from 2027 underscores the long-term nature of this cybersecurity challenge.
"Scam-in-a-box" kits and their threat
One of the most concerning developments in the cybercrime landscape is the proliferation of "scam-in-a-box" kits.
These kits, sold on the dark web, provide criminals with the tools and knowledge to launch sophisticated phishing attacks targeting Centrelink, the Australian Tax Office, and Medicare accounts.
These kits are alarmingly comprehensive, often including:
- Templates for creating fake websites that closely mimic official government pages
- Specialized knowledge for launching convincing phishing campaigns
- Security controls to help criminals evade detection
- Capabilities to run multiple scams simultaneously
- Intelligent systems that can redirect IT-savvy users to the genuine myGov website to avoid suspicion
The sophistication of these kits is evidenced by the fact that many fake websites are nearly indistinguishable from the real myGov portal. Some kits even advertise the widespread use of myGov accounts among Australians, providing step-by-step instructions for harvesting login details and accessing linked accounts.
The prevalence of these kits led to thousands of myGov accounts being suspended each month due to suspected breaches. This constant threat of compromise puts individual users at risk and strains government resources in detecting and responding to potential breaches.
MyGov's shift to passkeys
The transition to passkeys marks a significant milestone in myGov's security evolution, positioning Australia at the forefront of government digital service innovation. This section explores the timeline of this shift, its pioneering nature, and how it compares to similar moves by major tech companies.
Check out this video to learn more about MyGov passkeys:
Announcement and implementation timeline
The journey towards passkeys for myGov began in late 2023 when Government Services Minister Bill Shorten unveiled plans to implement this new authentication method. The announcement was part of a broader strategy to combat the rising tide of scams targeting government services.
The implementation process moved swiftly:
- November 2023: Initial announcement of the passkey plan
- Late June 2024: Soft launch of the passkey capability
- Early July 2024: Within a week of the soft launch, over 20,000 myGov users had already set up passkeys
This rapid adoption rate demonstrates both the rollout's effectiveness and users' willingness to embrace more secure authentication methods.
MyGov as a pioneer in government digital services
MyGov's implementation of passkeys positions it among the first digital government services in the world to adopt this technology. This move aligns with Australia's broader efforts to modernize and secure its digital infrastructure.
The pioneering nature of this implementation is highlighted by several factors:
- MyGov serves approximately 26 million active accounts, making this one of the largest-scale government adoptions of passkey technology globally.
- Integrating passkeys into a system that links multiple critical services (Centrelink, ATO, Medicare) demonstrates the feasibility of implementing advanced security measures across complex government platforms.
- This move sets a precedent for other government services worldwide, potentially influencing global standards for digital government security.
Comparison with other major online services
While myGov is at the forefront of government adoption of passkeys, it joins a select group of major online services that have implemented this technology. Minister Shorten noted that myGov now stands alongside leading "online services like Apple, Mastercard, PayPal, Microsoft, and Google" in offering passkey authentication.
The comparison is important as it puts a government service on par with global tech companies in security innovation and demonstrates the adaptability of passkey technology across different online platforms.
However, while these private sector companies have global reach, myGov's implementation is specifically tailored to the Australian context and regulatory environment.
MyGov's passkey implementation: User experience
Create account flow
Step 1: myGov offers two account creation options: email or use your Australian Digital Identity. We will analyze the user experience for the email center flow.
Step 2: Once the user has agreed to the terms of use, they are asked to email their email address. The user is then emailed with a one-time passcode to verify their email address.
Step 3: Next, the user is asked to enter their mobile number. Again, the user receives a one-time passcode to verify the mobile number. myGov allows the user to skip this step if their mobile number cannot be used.
myGov only allows Australian phone numbers. Restricting other country codes reduces SMS costs caused by higher foreign SMS charges and bots. To reduce SMS costs further, they may consider Whatsapp OTP, which can reduce costs to $0.015 and $0.00088 per message, depending on volume.
Step 4: ‘Create password.’ Although myGov has robust password creation guidelines, this step still puts users at significant risk. myGov could mitigate these risks by going passwordless.
Step 5: The user is asked to create three secret questions. myGov also allows the user to create custom questions.
After completing the third secret question, the user is given a user name in addition to their email address.
myGov MFA options
Within your myGov account, you have several options to add additional layers of security, such as SMS OTP, myGov Code Generator app, and, more recently, passkeys.
In this analysis, we will explore passkeys.
Creating a passkey
MyGov allows users to create up to three passkeys for their account. The process involves:
Step 1: Logging into the myGov account
Step 2: Navigate to Account Settings. ‘Manage passkeys’ is located separately from 2-factor authentication at the bottom of the menu with emphasis.
Step 3: Access the passkeys management section
- Verifying identity through an existing password or Digital Identity
- Selecting "Create passkey."
- Following device-specific prompts to set up the passkey
Users can create passkeys using their own device, another device via a QR code, or a physical security key.
Types of passkeys supported
MyGov supports three main types of passkeys:
- Biometric passkeys (fingerprint or facial recognition)
- Device-based passkeys (PIN or swipe pattern)
- Physical security keys (USB devices)
Synced vs. Non-synced passkeys
Synced passkeys:
- Saved to a password manager (e.g., iCloud Keychain)
- Available across multiple devices sharing the same account
- Ideal for users with multiple Apple or Android devices
Non-Synced passkeys:
- Stored on a specific device or physical security token
- Cannot be shared across devices
- Useful for users preferring device-specific security
Sign-in user experience using passkeys
Let's take a look at myGov’s sign-in experience with passkeys.
On the device with the passkey:
- Visit the myGov website
- Select "Sign in with passkey."
- Complete the authentication process (biometric, PIN, or security key)
On a different device:
- Visit the myGov website
- Choose "Sign in with passkey."
- Select "Use another device."
- Scan the QR code with the trusted device containing the passkey
- Complete authentication on the trusted device
Using a security key:
- Visit the myGov website
- Choose "Sign in with passkey."
- Select "Use another device" then "Security key."
- Insert and activate the security key
- Follow device prompts to complete the authentication
Managing passkeys
Users can rename or remove passkeys through the myGov account settings. Important considerations include:
- Inability to remove a passkey used for the current session
- Potential unlinking of ATO services if all passkeys are removed
- Necessity to delete passkeys from both myGov and the device/password manager
Now, let's address the FIDO2 and other authentication standards:
FIDO2 and authentication standards in myGov's passkey implementation
MyGov's adoption of FIDO2
MyGov leverages FIDO2 to implement passkey functionality. It ensures compatibility with a wide range of devices and browsers
Security benefits:
Phishing resistance: FIDO2 ties authentication to specific domains
Protection against replay attacks: Each authentication is unique
Mitigation of man-in-the-middle attacks: Public-key cryptography
WebAuthn in myGov's passkey system
It enables browser-to-authenticator communication and also facilitates the creation and use of public-key credentials. MyGov uses WebAuthn to register and authenticate passkeys. It supports both platform and roaming authenticators.
CTAP in myGov's security architecture
It allows external authenticators (like security keys) to communicate with devices. For myGov, it enables the use of physical security keys for passkey authentication. Moreover, it supports CTAP2, allowing for enhanced security features.
Join myGov and integrate passkeys with advanced MFA solutions
Authsignal providers drop-in Multi-Factor Authentication (MFA) solutions designed to empower businesses to integrate into any stack fast.
Authsignal offers Multi-Factor Authentication (MFA) solutions for businesses, with seamless integration, adaptive risk-based authentication, and signal view of the customer. Our platform prioritizes a frictionless user experience and supports various authentication methods, including biometrics, MFA and passkeys, and push notifications. By adopting Authsignal, businesses can provide a secure and convenient online experience. Sign up for a free account today to implement a robust, user-friendly security solution tailored to your business needs.
.png)
