How Super Funds can implement Passkeys

The April 2025 credential stuffing attacks on Australian superannuation funds served as a stark wake-up call: traditional authentication methods can no longer protect members' retirement savings. These coordinated attacks exploited reused passwords across multiple platforms, compromising thousands of member accounts and exposing the fundamental vulnerability of password-based security.

Passkeys offer a phishing-resistant authentication solution by eliminating shared secrets entirely. Using public-key cryptography, passkeys make credential stuffing attacks impossible. Each passkey is unique to a specific service, meaning stolen credentials from one breach cannot be weaponised against your fund.

• Prevent credential stuffing across member portals: Unique cryptographic keys for each service eliminate password reuse vulnerabilities
• 100% phishing-resistant MFA for members: Domain-bound authentication prevents members from being tricked into authenticating to fraudulent sites and it's the most member-friendly MFA you can roll out at scale
• 4-6x faster logins to member portals: One-tap Face ID or Touch ID authentication takes seconds
• Reduction in authentication and support costs: Eliminate password / account reset tickets and SMS OTP charges
• Decreased fraud-related losses: Prevent unauthorized withdrawals and account takeovers that result in financial losses and harm your reputation

Throughout this article, we'll answer three critical questions every super fund executive or tech / product leader should be asking:

1. How can super funds implement passkeys effectively?
2. What unique challenges do super funds face when deploying passkeys?
3. Which benefits can super funds expect from implementing passkeys?

The April 2025 attacks weren't sophisticated zero-day exploits or advanced persistent threats. They were simple, automated credential stuffing campaigns using passwords stolen from unrelated breaches. Attackers tested millions of username-password combinations against super fund portals, successfully accessing accounts where members had reused credentials and adequate MFA was in place.

Traditional defences proved inadequate:

• SMS OTPs were bypassed through SIM swapping and social engineering
• Security questions failed as answers were often publicly available on social media
• Account lockouts merely delayed attacks without preventing eventual compromise
• Password complexity requirements didn't help when the exact passwords were already stolen

Passkeys solve these fundamental problems by replacing passwords with cryptographic proof. When a member authenticates with a passkey, they're proving possession of a private key that is protected with the hardware security module (e.g. secure enclave, TPM) of their device. There's no password to steal, no secret to phish and no credential to stuff.

Superannuation funds face unique security and operational challenges that make passkeys particularly valuable. Beyond the obvious security improvements, passkeys deliver measurable benefits across member experience, operational costs and regulatory compliance.

Super funds are increasingly targeted by organised cybercrime groups who understand the value of retirement savings. Passkeys provide multi-layered protection:

• Immunity to phishing campaigns: Even sophisticated spear-phishing targeting high-balance members fails because passkeys are domain-bound
• Immunity against credential stuffing: Passkeys eliminate credential stuffing attacks entirely as each passkey creates unique cryptographic signatures that cannot be reused across services, making stolen passwords from other breaches completely useless
• Resilience against data breaches: Compromised servers reveal only public keys, which are useless without the corresponding private keys on members' devices

Member satisfaction directly impacts fund retention and growth. Passkeys transform the authentication experience:

• Login time reduction: No more typing complex passwords or waiting for SMS codes
• Reduction in password reset requests: Members can't forget their face or fingerprint
• Seamless cross-device access: Cloud-synced passkeys (e.g. in iCloud Keychain or Google Password Member) work across all member devices
• Accessibility improvements: Biometric authentication helps members with disabilities who struggle with password entry or other MFA methods (e.g. TOTPs in authenticator apps)

Authentication-related costs represent a substantial operational burden for super funds. Passkeys help to cut these costs and can make your passkey project pay for itself (see this article to calculate a passkey business case)

• Reduction in authentication support tickets: No password resets and less account recovery issues help you cut down support costs
• Elimination of SMS OTP costs : Save massivley on transactional costs for SMS delivery
• Decreased fraud losses: Prevent unauthorized withdrawals and account takeovers that would result in members losing their savings
• Lower insurance premiums: Demonstrable security improvements can reduce cyber insurance costs

In an increasingly commoditised market, security and user experience become key differentiators. It's evident that members look for funds that protect their assets the best and would switch easily to leaders.

• Secure market leadership in cyber security: First movers in passkey adoption position themselves as innovation leaders
• Improved member acquisition: Security-conscious members actively seek funds with advanced protection
• Enhanced trust and reputation: Proactive security measures build member confidence
• Future-proof authentication: Align with global authentication standards before regulatory mandates and you are in pressure to quickly implement phishing-resistant MFA

The following screenshot is from a Reddit thread where the first members are activley looking for super fund with passkeys in place:

Source: Reddit r/AusFinance - Low fee super fund with passkey login?

While passkeys offer compelling benefits, super funds face specific implementation challenges that require careful consideration and planning. Each challenge, however, has solution approaches that have been successfully deployed in practice.

Super funds serve members ranging from digital natives to retirees with limited technical experience:

• Technology adoption varies widely: Young professionals may embrace biometric authentication while older members might resist change to what they've known in logins for decades
• Device compatibility issues: Not all members may have passkey-ready devices
• Vastly different usage patterns: Some members check their account daily while others may only log in once a year

Solution approach:

• Keep it simple: passkeys should work exactly like unlocking a phone, what many users do up to +80 times a day. They use their Face to unlock their phone, so make the unlock experience to their member portal similar.
• Avoid technical jargon: skip lengthy explanations (most users don't care about the technology)
• Don't make the user think: The experience should be so intuitive that even infrequent users can log in effortlessly without thinking too much about the specific steps they need to perform.

Many super funds operate with some core components that are decades-old and weren't originally designed for modern authentication:

• Mainframe compatibility: Legacy systems may require significant development to get passkey flows integrated
• Multiple authentication touchpoints: Member portals, mobile apps and call centres need unified approach

Solution approach:

• Don't rip out your existing IdP / CIAM: instead, add passkeys as an additional authentication method to your current setup. Keep everything else running - avoid turning this into a massive migration project when you can simply extend what you already have.
• Use a smart fallback strategy: you cannot turn on passkeys over night for all your members. There will be a transition period, where some members will or need to stick to the current login method. Keep it as fallback, while still pushing most of your members to more secure and easier passkeys.

Australian super funds operate under strict regulatory oversight:

• APRA CPS 234 requirements: Must demonstrate information security capability
• Privacy Act obligations: Biometric data handling requires careful consideration
• Essential Eight framework: ACSC's maturity model increasingly requires phishing-resistant MFA, with passkeys meeting the highest standards

Solution approach:

• Passkeys comply with modern regulation: Passkeys strongly support compliance objectives. They provide phishing-resistant authentication that aligns with APRA CPS 234's control objectives and meet the Essential Eight framework's requirements for phishing-resistant MFA at ML2-ML3. Rather than creating compliance challenges, passkeys strengthen your security posture while providing clear audit trails through authentication logs.
• Leverage passkey expert know-how: Compliance still requires proper implementation, testing and maintaining all required controls beyond just authentication. There are thousands of edge cases with passkeys at the scale of super funds. If you don't have the in-house know-how for passkeys, contact a passkey provider specialist like Corbado that can help on edge cases, common mistakes and how to implement passkeys fully compliant.

Achieving true passwordless authentication for super fund members is a strategic journey that requires careful planning, gradual implementation and continuous optimisation. Super funds must balance security improvements with the unique needs of their diverse member base.

True passwordless security requires both eliminating passwords from primary authentication AND ensuring recovery processes are equally phishing-resistant.

Why passkeys alone aren't sufficient for super funds: Adding passkeys without removing passwords leaves the door open for attackers. As long as members can still log in with passwords, criminals will continue exploiting stolen credentials from other breaches. Even more concerning for super funds managing retirement savings, account recovery flows often become the weakest link. Attackers know that super fund members may not access their accounts frequently, making recovery processes prime targets for social engineering and SIM swapping attacks. Without securing both primary authentication AND recovery flows with phishing-resistant methods, super funds remain vulnerable to the very attacks passkeys are meant to prevent. Learn more about achieving fully passwordless authentication.

The first phase focuses on introducing passkeys as an additional authentication method while maintaining existing options as fallbacks. This foundation-building stage allows members time to understand and trust the new technology.

Key implementation steps for super funds:

• Integrate passkey authentication into existing member portals and mobile apps
• Enable passkey creation for new and existing members during login or account management
• Maintain passwords and conventional MFA (e.g. SMS OTPs) as fallbacks
• Track passkey creation and usage rates across different member demographics
• Provide clear educational materials about the security and convenience benefits

Once passkeys are available, shift focus to making passkeys the preferred authentication method through strategic member engagement and optimisation.

Key Implementation Steps for Super Funds:

• Make passkey authentication the default option in login flows
• Implement intelligent prompts that encourage passkey creation after successful password logins
• Educate members about benefits through targeted communications:
  • Security alerts about credential stuffing risks
  • Convenience messaging about faster account access
  • Personalised recommendations based on member profiles
• Provide incentives for passkey adoption (e.g. enhanced account features, security badges)
• Implement conditional access requiring passkeys for high-value transactions (withdrawals, beneficiary changes)

This is where the real security transformation happens: removing passwords entirely for users who consistently use passkeys. This phase eliminates the primary attack vector by deactivating passwords for users who have demonstrated successful passkey adoption.

Key Implementation Steps:

• Analyse user authentication patterns using intelligent monitoring systems
• Identify users who exclusively use passkeys with multiple passkey-ready devices over a defined time span (e.g. 30 days, 90 days or 180 days)
• Automatically turn off / remove passwords for these users
• On top of that: offer password deactivation with clear security benefit messaging
• Verify backup passkey availability (cloud-synced or multiple devices)

The final phase addresses the last vulnerability: transforming account recovery into a phishing-resistant process. This phase ensures that recovery flows match the security level of primary authentication, preventing backdoor attacks.

Key Implementation Steps:

• Implement multi-factor authentication with at least one phishing-resistant factor
• Available phishing-resistant factors:
  • Backup Passkeys: Recovery passkeys stored on secondary devices or cloud services that provide cryptographic proof of identity (most widely available option)
  • Digital Credentials API: W3C standard for cryptographically verified identity assertions from trusted providers (emerging technology, not yet widespread)
  • Hardware Security Keys: Physical FIDO2 tokens registered as recovery factors that cannot be phished or duplicated (requires users to purchase and maintain physical devices)
• Another option, while not 100% phishing-resistant but still far better to most other recovery methods today is Identity Document Verification with Liveness Detection. Here, members scan Government-issued IDs combined with a real-time biometric actions to prove physical presence

Note on recovery options: While Digital Credentials API and Hardware Security Keys offer strong security, they're not yet widely adopted, the former is still emerging technology and the latter requires users to purchase physical devices.

When backup passkeys aren't available, identity document verification with liveness detection becomes a viable alternative. Despite potential workarounds to bypass liveness checks without physical ownership of an ID, these methods still provide significantly stronger security than traditional OTPs, which can be easily intercepted through phishing, SIM swapping or man-in-the-middle attacks.

While the broader Australian banking sector is making significant strides in passkey adoption (with banks like UBank fully implementing passkeys and Commonwealth Bank, ANZ and NAB currently developing passkeys), super funds are still in the early stages of this critical security transformation. This presents both a challenge and an opportunity for forward-thinking funds to differentiate themselves in the market.

As of November 2025, the superannuation industry's adoption of passkeys remains limited but is gaining momentum. See our dedicated page on superannuation fund passkey adoption for details.

Corbado provides a comprehensive passkey adoption platform specifically designed for the unique needs of large financial institutions and super funds, accelerating implementation from years to months. With proven success in large-scale deployments like VicRoads' 5 million user implementation achieving up to 80% passkey activation rates.

From initial passkey implementation to achieving complete password elimination, Corbado's solution handles the technical complexity while providing the tools needed for successful user adoption.

Phase 1 & 2 Support: Corbado offers seamless passkey integration with existing authentication stacks, intelligent prompts that maximise adoption rates and detailed analytics to track passkey creation and usage patterns. The platform's Passkey Intelligence feature automatically optimises the user experience based on device capabilities and user behaviour, ensuring smooth onboarding.

Phase 3 & 4 Implementation: For organisations ready to remove passwords entirely, Corbado enables gradual password deactivation based on user readiness while maintaining secure, phishing-resistant recovery flows.

By handling cross-platform compatibility, fallback mechanisms and user experience optimisation, Corbado accelerates the passwordless transformation from years to months, allowing organisations to focus on their core business while achieving phishing-resistant authentication.

In this article, we have analysed the reasons why so many super funds are looking into passkeys and provided guidance on the implementation steps. Specifically, we have answered the following questions:

• How can super funds implement passkeys effectively? Through a strategic four-phase journey that transforms authentication while maintaining member trust. Start by adding passkeys alongside existing methods, then drive adoption through intelligent prompts and member education. Once adoption reaches critical mass, begin removing passwords for members who consistently use passkeys. Finally, secure recovery flows with phishing-resistant methods to close all backdoors. This gradual approach ensures high adoption rates while avoiding member lockouts, typically achieving 50-80% passkey activation within months when properly executed.

• What unique challenges do super funds face when deploying this technology? Super funds must navigate diverse member demographics ranging from digital natives to retirees, integrate with decades-old legacy systems, meet strict regulatory requirements including APRA CPS 234 and overcome member skepticism about new authentication methods. These challenges are significant but surmountable with proper planning and the right technology partner.

• Which tangible benefits can your fund expect from making this transition? Beyond preventing the credential stuffing, super funds implementing passkeys can expect 70% reduction in authentication support costs, 4-6× faster member logins, 95% decrease in password reset requests and positioning as market leaders in security innovation. Most importantly, passkeys provide the phishing-resistant authentication that completely eliminates the shared secret vulnerabilities that attackers exploit.

The question isn't whether your super fund should implement passkeys, but how quickly you can protect your members before the next attack. With the right approach and technology partner, the journey to passwordless authentication can begin today, securing your members' retirement savings for tomorrow.