---
url: 'https://www.corbado.com/blog/how-superfunds-can-implement-passkeys'
title: 'How Super Funds can implement Passkeys'
description: 'Superannuation funds face unique passkey challenges: diverse demographics, legacy systems & strict compliance. Learn implementation strategies & solutions.'
lang: 'en'
author: 'Vincent Delitz'
date: '2025-11-03T14:09:59.603Z'
lastModified: '2026-03-27T07:01:52.783Z'
category: 'Authentication'
---

# How Super Funds can implement Passkeys

## 1. Introduction

The April 2025 [credential stuffing](https://www.corbado.com/glossary/credential-stuffing) attacks on Australian
[superannuation funds](https://www.corbado.com/blog/superannuation-funds-mfa-fsc-29) served as a stark wake-up
call: **traditional authentication methods can no longer protect members' retirement
savings.** These coordinated attacks exploited reused passwords across multiple platforms,
compromising thousands of member accounts and exposing the fundamental
[vulnerability](https://www.corbado.com/glossary/vulnerability) of password-based security.

**Passkeys offer a phishing-resistant authentication solution by eliminating shared
secrets entirely.** Using public-key cryptography, passkeys make
[credential stuffing](https://www.corbado.com/glossary/credential-stuffing) attacks impossible. Each passkey is
unique to a specific service, meaning stolen credentials from one breach cannot be
weaponised against your fund.

### 1.1 Key benefits of passkeys for super funds:

- **Prevent credential stuffing across member portals**: Unique cryptographic keys for
  each service eliminate password reuse [vulnerabilities](https://www.corbado.com/glossary/vulnerability)
- **100% phishing-resistant MFA for members**: Domain-bound authentication prevents
  members from being tricked into authenticating to fraudulent sites and it's the most
  member-friendly MFA you can roll out at scale
- **4-6x faster logins to member portals**:
  [One-tap](https://docs.corbado.com/corbado-connect/features/one-tap-login)
  [Face ID](https://www.corbado.com/faq/is-face-id-passkey) or Touch ID authentication takes seconds
- **Reduction in authentication and support costs**: Eliminate password / account reset
  tickets and SMS OTP charges
- **Decreased fraud-related losses**: Prevent unauthorized withdrawals and account
  takeovers that result in financial losses and harm your reputation

Throughout this article, we'll answer three critical questions every super fund executive
or tech / product leader should be asking:

1. How can [super funds](https://www.corbado.com/blog/superannuation-funds-mfa-fsc-29) implement passkeys
   effectively?
2. What unique challenges do [super funds](https://www.corbado.com/blog/superannuation-funds-mfa-fsc-29) face
   when deploying passkeys?
3. Which benefits can [super funds](https://www.corbado.com/blog/superannuation-funds-mfa-fsc-29) expect from
   implementing passkeys?

### 1.2 Why traditional authentication can't protect your members

The April 2025 attacks weren't sophisticated zero-day [exploits](https://www.corbado.com/glossary/exploit) or
advanced persistent threats. They were simple, automated
[credential stuffing](https://www.corbado.com/glossary/credential-stuffing) campaigns using passwords stolen from
unrelated breaches. **Attackers tested millions of username-password combinations against
super fund portals, successfully accessing accounts where members had reused credentials
and adequate MFA was in place.**

Traditional defences proved inadequate:

- **SMS OTPs were bypassed** through
  [SIM swapping](https://www.corbado.com/faq/sim-swapping-sms-authentication-risk) and social engineering
- **Security questions failed** as answers were often publicly available on social media
- **Account lockouts merely delayed attacks** without preventing eventual compromise
- **Password complexity requirements** didn't help when the exact passwords were already
  stolen

Passkeys solve these fundamental problems by replacing passwords with cryptographic proof.
**When a member authenticates with a passkey, they're proving possession of a private key
that is protected with the hardware security module (e.g. secure enclave, TPM) of their
device.** There's no password to steal, no secret to phish and no credential to stuff.

## Key Facts

- **Passkeys eliminate credential stuffing attacks** by using unique cryptographic keys
  for each service
- **100% phishing-resistant MFA** that prevents members from authenticating on fraudulent
  sites
- **4-6x faster logins** with one-tap Face ID or Touch ID authentication
- **Significant cost reduction** through fewer password resets and elimination of SMS OTP
  charges
- **Prevents unauthorized withdrawals** and account takeovers that result in financial
  losses

## 2. Which benefits do passkeys have for Super Funds

[Superannuation funds](https://www.corbado.com/blog/superannuation-funds-mfa-fsc-29) face unique security and
operational challenges that make passkeys particularly valuable. Beyond the obvious
security improvements, passkeys deliver measurable benefits across member experience,
operational costs and [regulatory compliance](https://www.corbado.com/blog/cybersecurity-frameworks).

### 2.1 Enhanced security against targeted attacks

Super funds are increasingly targeted by organised cybercrime groups who understand the
value of retirement savings. Passkeys provide multi-layered protection:

- **Immunity to phishing campaigns**: Even sophisticated
  spear-[phishing](https://www.corbado.com/glossary/phishing) targeting high-balance members fails because
  passkeys are domain-bound
- **Immunity against credential stuffing**: Passkeys eliminate credential stuffing attacks
  entirely as each passkey creates unique cryptographic signatures that cannot be reused
  across services, making stolen passwords from other breaches completely useless
- **Resilience against data breaches**: Compromised servers reveal only public keys, which
  are useless without the corresponding private keys on members' devices

### 2.2 Dramatic improvement in member experience

Member satisfaction directly impacts fund retention and growth. Passkeys transform the
authentication experience:

- **Login time reduction**: No more typing complex passwords or waiting for SMS codes
- **Reduction in password reset requests**: Members can't forget their face or fingerprint
- **Seamless cross-device access**: Cloud-synced passkeys (e.g. in
  [iCloud Keychain](https://www.corbado.com/glossary/icloud-keychain) or
  [Google Password](https://www.corbado.com/blog/how-to-use-google-password-manager) Member) work across all
  member devices
- **Accessibility improvements**:
  [Biometric authentication](https://www.corbado.com/blog/passkeys-biometric-authentication) helps members with
  disabilities who struggle with password entry or other MFA methods (e.g. TOTPs in
  [authenticator](https://www.corbado.com/glossary/authenticator) apps)

### 2.3 Significant cost reduction

Authentication-related costs represent a substantial operational burden for super funds.
Passkeys help to cut these costs and can make your passkey project pay for itself (see
this article to calculate a passkey [business case](https://www.corbado.com/blog/passkey-adoption-business-case))

- **Reduction in authentication support tickets**: No
  [password resets](https://www.corbado.com/faq/passkeys-reduce-password-resets-otp-costs) and less account
  recovery issues help you cut down support costs
- **Elimination of SMS OTP costs** : Save massivley on transactional costs for SMS
  delivery
- **Decreased fraud losses**: Prevent unauthorized withdrawals and account takeovers that
  would result in members losing their savings
- **Lower insurance premiums**: Demonstrable security improvements can reduce cyber
  [insurance](https://www.corbado.com/passkeys-for-insurance) costs

### 2.4 Competitive differentiation

In an increasingly commoditised market, security and user experience become key
differentiators. It's evident that members look for funds that protect their assets the
best and would switch easily to leaders.

- **Secure market leadership in cyber security**: First movers in
  [passkey adoption](https://www.corbado.com/blog/passkey-adoption-business-case) position themselves as
  innovation leaders
- **Improved member acquisition**: Security-conscious members actively seek funds with
  advanced protection
- **Enhanced trust and reputation**: Proactive security measures build member confidence
- **Future-proof authentication**: Align with global authentication standards before
  regulatory mandates and you are in pressure to quickly implement
  [phishing](https://www.corbado.com/glossary/phishing)-resistant MFA

The following screenshot is from a Reddit thread where the first members are activley
looking for super fund with passkeys in place:

![RedditThread.png](https://s3.eu-central-1.amazonaws.com/corbado-cloud-staging-website-assets/Reddit_Thread_44cc735cae.png)
_[Source: Reddit r/AusFinance - Low fee super fund with passkey login?](https://www.reddit.com/r/AusFinance/comments/1jtawog/low_fee_super_fund_with_passkey_login/)_

## 3. Which challenges do Super Funds face when implementing passkeys?

While passkeys offer compelling benefits, super funds face specific implementation
challenges that require careful consideration and planning. Each challenge, however, has
solution approaches that have been successfully deployed in practice.

### 3.1 Diverse member demographics

Super funds serve members ranging from digital natives to retirees with limited technical
experience:

- **Technology adoption varies widely**: Young professionals may embrace biometric
  authentication while older members might resist change to what they've known in logins
  for decades
- **Device compatibility issues**: Not all members may have passkey-ready devices
- **Vastly different usage patterns**: Some members check their account daily while others
  may only log in once a year

**Solution approach**:

- **Keep it simple:** passkeys should work exactly like unlocking a phone, what many users
  do up to +80 times a day. They use their Face to unlock their phone, so make the unlock
  experience to their member portal similar.
- **Avoid technical jargon:** skip lengthy explanations (most users don't care about the
  technology)
- **Don't make the user think**: The experience should be so intuitive that even
  infrequent users can log in effortlessly without thinking too much about the specific
  steps they need to perform.

### 3.2 Legacy system integration

Many super funds operate with some core components that are decades-old and weren't
originally designed for modern authentication:

- **Mainframe compatibility**: Legacy systems may require significant development to get
  passkey flows integrated
- **Multiple authentication touchpoints**: Member portals, mobile apps and call centres
  need unified approach

**Solution approach**:

- **Don't rip out your existing IdP / CIAM**: instead, add passkeys as an additional
  authentication method to your current setup. Keep everything else running - avoid
  turning this into a massive migration project when you can simply extend what you
  already have.
- **Use a smart fallback strategy**: you cannot turn on passkeys over night for all your
  members. There will be a transition period, where some members will or need to stick to
  the current login method. Keep it as fallback, while still pushing most of your members
  to more secure and easier passkeys.

### 3.3 Regulatory and compliance requirements

Australian super funds operate under strict regulatory oversight:

- **APRA CPS 234 requirements**: Must demonstrate information security capability
- **Privacy Act obligations**: Biometric data handling requires careful consideration
- **Essential Eight framework**: ACSC's maturity model increasingly requires
  [phishing](https://www.corbado.com/glossary/phishing)-resistant MFA, with passkeys meeting the highest
  standards

**Solution approach**:

- **Passkeys comply with modern regulation**: Passkeys strongly support compliance
  objectives. They provide phishing-resistant authentication that aligns with APRA CPS
  234's control objectives and meet the Essential Eight framework's requirements for
  phishing-resistant MFA at ML2-ML3. Rather than creating compliance challenges, passkeys
  strengthen your security posture while providing clear audit trails through
  authentication logs.
- **Leverage passkey expert know-how**: Compliance still requires proper implementation,
  testing and maintaining all required controls beyond just authentication. There are
  thousands of edge cases with passkeys at the scale of super funds. If you don't have the
  in-house know-how for passkeys, contact a [passkey provider](https://www.corbado.com/blog/passkey-providers)
  specialist like Corbado that can help on edge cases, common mistakes and how to
  implement passkeys fully compliant.

## 4. Super Funds Passkeys Implementation to go fully Passwordless

Achieving true [passwordless authentication](https://www.corbado.com/glossary/passwordless-authentication) for
super fund members is a strategic journey that requires careful planning, gradual
implementation and continuous optimisation. Super funds must balance security improvements
with the unique needs of their diverse member base.

### 4.1 The Complete Passwordless Journey

True passwordless security requires both eliminating passwords from primary authentication
AND ensuring recovery processes are equally phishing-resistant.

**Why passkeys alone aren't sufficient for super funds:** Adding passkeys without removing
passwords leaves the door open for attackers. As long as members can still log in with
passwords, criminals will continue exploiting stolen credentials from other breaches. Even
more concerning for super funds managing retirement savings, account recovery flows often
become the weakest link. Attackers know that super fund members may not access their
accounts frequently, making recovery processes prime targets for social engineering and
[SIM swapping](https://www.corbado.com/faq/sim-swapping-sms-authentication-risk) attacks. Without securing both
primary authentication AND recovery flows with phishing-resistant methods, super funds
remain vulnerable to the very attacks passkeys are meant to prevent. Learn more about
achieving fully [passwordless authentication](https://www.corbado.com/glossary/passwordless-authentication).

![PasswordlessJourney.png](https://s3.eu-central-1.amazonaws.com/corbado-cloud-staging-website-assets/Passwordless_Journey_1200e4eede.png)

### 4.2 Phase 1: Add Passkeys

The first phase focuses on **introducing passkeys as an additional authentication method**
while maintaining existing options as fallbacks. This foundation-building stage allows
members time to understand and trust the new technology.

**Key implementation steps for super funds:**

- Integrate passkey authentication into existing member portals and mobile apps
- Enable [passkey creation](https://www.corbado.com/blog/passkey-creation-best-practices) for new and existing
  members during login or account management
- Maintain passwords and conventional MFA (e.g. SMS OTPs) as fallbacks
- Track [passkey creation](https://www.corbado.com/blog/passkey-creation-best-practices) and usage rates across
  different member demographics
- Provide clear educational materials about the security and convenience benefits

### 4.3 Phase 2: Drive Passkey Adoption

Once passkeys are available, shift focus to **making passkeys the preferred authentication
method** through strategic member engagement and optimisation.

**Key Implementation Steps for Super Funds:**

- Make passkey authentication the default option in login flows
- Implement intelligent prompts that encourage
  [passkey creation](https://www.corbado.com/blog/passkey-creation-best-practices) after successful password
  logins
- Educate members about benefits through targeted communications:
    - Security alerts about credential stuffing risks
    - Convenience messaging about faster account access
    - Personalised recommendations based on member profiles
- Provide incentives for [passkey adoption](https://www.corbado.com/blog/passkey-adoption-business-case) (e.g.
  enhanced account features, security badges)
- Implement conditional access requiring passkeys for high-value transactions
  (withdrawals, beneficiary changes)

![Automatic Passkey Login Approach](Automatic_passkey_login_approach_corbado.webp)

### 4.4 Phase 3: Go passwordless

This is where the real security transformation happens: **removing passwords entirely for
users who consistently use passkeys**. This phase eliminates the primary attack vector by
deactivating passwords for users who have demonstrated successful
[passkey adoption](https://www.corbado.com/blog/passkey-adoption-business-case).

**Key Implementation Steps:**

- Analyse user authentication patterns using
  [intelligent monitoring systems](https://docs.corbado.com/corbado-connect/features/passkey-intelligence)
- Identify users who exclusively use passkeys with multiple passkey-ready devices over a
  defined time span (e.g. 30 days, 90 days or 180 days)
- Automatically turn off / remove passwords for these users
- On top of that: offer password deactivation with clear security benefit messaging
- Verify backup [passkey availability](https://www.corbado.com/faq/are-passkeys-available) (cloud-synced or
  multiple devices)

### 4.5 Phase 4: Phishing-resistant Recovery

The final phase addresses the last [vulnerability](https://www.corbado.com/glossary/vulnerability):
**transforming account recovery into a phishing-resistant process**. This phase ensures
that recovery flows match the security level of primary authentication, preventing
backdoor attacks.

**Key Implementation Steps:**

- Implement multi-factor authentication with at least one phishing-resistant factor
- Available phishing-resistant factors:
    - **Backup Passkeys**: Recovery passkeys stored on secondary devices or cloud services
      that provide cryptographic proof of identity (most widely available option)
    - **Digital Credentials API**: W3C standard for cryptographically verified identity
      [assertions](https://www.corbado.com/glossary/assertion) from trusted providers (emerging technology, not
      yet widespread)
    - **Hardware Security Keys**: Physical [FIDO2](https://www.corbado.com/glossary/fido2) tokens registered as
      recovery factors that cannot be phished or duplicated (requires users to purchase
      and maintain physical devices)
- Another option, while not 100% phishing-resistant but still far better to most other
  recovery methods today is **Identity Document Verification with Liveness Detection**.
  Here, members scan [Government](https://www.corbado.com/passkeys-for-public-sector)-issued IDs combined with a
  real-time biometric actions to prove physical presence

**Note on recovery options:** While
[Digital Credentials API](https://www.corbado.com/blog/digital-credentials-api) and
[Hardware Security Keys](https://www.corbado.com/blog/best-fido2-hardware-security-keys) offer strong security,
they're not yet widely adopted, the former is still emerging technology and the latter
requires users to purchase physical devices.

When backup passkeys aren't available, identity
[document verification](https://www.corbado.com/blog/digital-identity-verification) with liveness detection
becomes a viable alternative. Despite potential workarounds to bypass liveness checks
without physical ownership of an ID, these methods still provide significantly stronger
security than traditional OTPs, which can be easily intercepted through phishing, SIM
swapping or man-in-the-middle attacks.

## 5. Which Super Funds have already implemented Passkeys?

While the broader Australian [banking](https://www.corbado.com/passkeys-for-banking) sector is making significant
strides in passkey adoption (with banks like UBank fully implementing passkeys and
Commonwealth Bank, ANZ and NAB currently developing passkeys), super funds are still in
the early stages of this critical security transformation. This presents both a challenge
and an opportunity for forward-thinking funds to differentiate themselves in the market.

### 5.1 Current State of Passkey Adoption in Australian Super Funds

As of November 2025, the superannuation industry's adoption of passkeys remains limited
but is gaining momentum. See our dedicated page on
[superannuation fund](https://www.corbado.com/passkeys-for-super-funds) passkey adoption for details.

## 6. How Corbado can help

Corbado provides a comprehensive
[passkey adoption platform](https://www.corbado.com/passkeys-for-banking) specifically
designed for the unique needs of large financial institutions and super funds,
accelerating implementation from years to months. With proven success in
[large-scale](https://www.corbado.com/blog/introducing-passkeys-large-scale-overview) deployments like
[VicRoads' 5 million user implementation achieving up to 80% passkey activation rates](https://fidoalliance.org/case-study-vicroads).

From initial passkey implementation to achieving complete password elimination, Corbado's
solution handles the technical complexity while providing the tools needed for successful
user adoption.

**Phase 1 & 2 Support:** Corbado offers
[seamless passkey integration](https://www.corbado.com/faq/identifier-first-approach-passkey-login) with existing
authentication stacks, intelligent prompts that maximise adoption rates and detailed
analytics to track passkey creation and usage patterns. The platform's
[Passkey Intelligence](https://docs.corbado.com/corbado-connect/features/passkey-intelligence)
feature automatically optimises the user experience based on device capabilities and user
behaviour, ensuring smooth onboarding.

**Phase 3 & 4 Implementation:** For organisations ready to remove passwords entirely,
Corbado enables gradual password deactivation based on user readiness while maintaining
secure, phishing-resistant recovery flows.

By handling cross-platform compatibility, fallback mechanisms and user experience
optimisation, Corbado accelerates the passwordless transformation from years to months,
allowing organisations to focus on their core business while achieving phishing-resistant
authentication.

## 7. Conclusion

In this article, we have analysed the reasons why so many super funds are looking into
passkeys and provided guidance on the implementation steps. Specifically, we have answered
the following questions:

- **How can super funds implement passkeys effectively?** Through a strategic four-phase
  journey that transforms authentication while maintaining member trust. Start by adding
  passkeys alongside existing methods, then drive adoption through intelligent prompts and
  member education. Once adoption reaches critical mass, begin removing passwords for
  members who consistently use passkeys. Finally, secure recovery flows with
  phishing-resistant methods to close all backdoors. This gradual approach ensures high
  adoption rates while avoiding member lockouts, typically achieving 50-80% passkey
  activation within months when properly executed.

- **What unique challenges do super funds face when deploying this technology?** Super
  funds must navigate diverse member demographics ranging from digital natives to
  retirees, integrate with decades-old legacy systems, meet strict regulatory requirements
  including APRA CPS 234 and overcome member skepticism about new authentication methods.
  These challenges are significant but surmountable with proper planning and the right
  technology partner.

- **Which tangible benefits can your fund expect from making this transition?** Beyond
  preventing the credential stuffing, super funds implementing passkeys can expect 70%
  reduction in authentication support costs, 4-6× faster member logins, 95% decrease in
  [password reset](https://www.corbado.com/blog/password-reset-increase-customer-retention) requests and
  positioning as market leaders in security innovation. Most importantly, passkeys provide
  the phishing-resistant authentication that completely eliminates the shared secret
  [vulnerabilities](https://www.corbado.com/glossary/vulnerability) that attackers [exploit](https://www.corbado.com/glossary/exploit).

The question isn't whether your super fund should implement passkeys, but how quickly you
can protect your members before the next attack. With the right approach and technology
partner, the journey to
[passwordless authentication](https://www.corbado.com/glossary/passwordless-authentication) can begin today,
securing your members' retirement savings for tomorrow.

## Frequently Asked Questions

### Why isn't adding passkeys to a super fund login flow enough to stop credential stuffing attacks?

Adding passkeys without removing passwords leaves the credential stuffing attack path
open, since criminals continue exploiting the password login option. Account recovery
flows are equally dangerous: attackers target infrequent super fund logins through SIM
swapping and social engineering on recovery processes. True protection requires
phishing-resistant primary authentication and phishing-resistant recovery flows.

### How do passkeys help Australian super funds meet APRA CPS 234 and Essential Eight compliance requirements?

Passkeys align directly with APRA CPS 234 information security control objectives and
satisfy the ACSC Essential Eight framework for phishing-resistant MFA at maturity levels
ML2 and ML3. Authentication logs provide clear audit trails for compliance documentation.
Biometric data never leaves the member's device, addressing Privacy Act obligations around
biometric data handling.

### How should a super fund handle passkey rollout for members who are older or less tech-savvy?

Super funds should mirror the phone-unlocking experience that many users perform up to 80
times daily, avoiding technical jargon and minimising required decision-making. Passwords
and SMS OTPs should remain as fallbacks during the transition period so no member is
locked out. Phased rollout with targeted education based on member demographics achieves
the best adoption across diverse member bases.

### What passkey activation rates can a super fund realistically expect, and how long does a full implementation take?

Super funds can achieve 50-80% passkey activation within months when using a structured
phased approach with intelligent prompts and member education. The VicRoads deployment
across 5 million users reached up to 80% activation, providing a comparable benchmark for
large Australian financial institutions. Partnering with a specialist provider can
compress what would otherwise be a multi-year transformation into a matter of months.