Which Public Sector Organizations offer Passkeys?

Passkeys in the public sector are transforming how citizens access essential government services securely and without passwords. Across the globe, government agencies are beginning to implement passkeys to enhance national cybersecurity, protect citizen data from fraud, and improve the accessibility of digital services. This article covers which public sector organizations support passkeys and why this technology is the future of government digital identity.

Passkeys are a secure, passwordless authentication method based on the FIDO2 and WebAuthn standards. They offer a faster and safer way for citizens to access government portals by replacing traditional passwords with biometric authentication (like a fingerprint or facial recognition) or a device-based credential (like a PIN or screen lock pattern). Early adopters like Australia's myGov and the US State of Michigan and and US federal government's Login.gov have fully implemented passkeys. Other major government bodies, including the UK, are actively developing and rolling out passkey capabilities. These organizations are leveraging passkeys to provide phishing-resistant security, reduce administrative costs, and build public trust in digital services.

• Passkeys prevent phishing and fraud: Government services are a major target for phishing attacks. Passkeys are inherently phishing-resistant because the credential is cryptographically bound to the official government domain, neutralizing attacks that aim to steal citizen data.
• Better user experience and digital inclusion: The quick and simple login process using familiar device biometrics (e.g., Face ID, Touch ID, Windows Hello) makes digital services more accessible and easier to use for all citizens, which can boost adoption of online portals.
• Passkeys reduce operational costs: Passkeys significantly reduce the government's reliance on expensive SMS verification methods. They also lower the burden on help desks by decreasing the volume of password reset requests and account lockout incidents, leading to substantial cost savings.

---

Public sector organizations are adopting passkeys to address the urgent need for stronger cybersecurity and to provide citizens with more accessible and efficient digital services. Traditional authentication methods are vulnerable to phishing and credential theft, which pose a significant risk to sensitive citizen data and national security. Government mandates, such as the US Executive Order on Strengthening Cybersecurity, are explicitly pushing for the adoption of phishing-resistant multi-factor authentication (MFA). Passkeys, built on the FIDO2 and WebAuthn standards, directly meet these requirements by using public-key cryptography, which eliminates shared secrets and makes accounts dramatically more secure. By improving the user experience, passkeys also help governments increase digital participation and reduce the administrative costs associated with legacy systems.

• Phishing Resistance: Passkeys authenticate users without transmitting any secrets. The credential is bound to the official government domain, rendering it useless on fraudulent sites and protecting citizens from phishing attacks.
• Support across devices: Passkeys allow citizens to use the devices they already own - like smartphones and laptops - to securely access services. Synced passkeys can be used across a citizen's devices, providing a seamless experience.
• Improved User Experience (UX): Passkeys provide a frictionless authentication process for accessing critical services like tax filing, healthcare, and social services, reducing login failures and improving citizen satisfaction.

The following provides an overview of the passkey support status for selected major government digital identity platforms. Adoption is accelerating as governments prioritize cybersecurity and citizen experience.

Note: "Fully implemented" refers to a publicly available, passwordless login option. "In development" indicates an announced or partial rollout. "Not yet available" indicates no confirmed FIDO passkey support was found.

Passkey adoption in the US public sector is driven by a federal mandate to move toward phishing-resistant authentication.

Yes! Login.gov has fully implemented passkeys, providing a secure, passwordless login option for citizens accessing federal government services. Users can set up and use passkeys through methods like "face or touch unlock" or FIDO-compliant security keys. This implementation allows for a more streamlined and phishing-resistant authentication experience, replacing the traditional need for a password at sign-in.

Yes! The State of Michigan is a pioneer in the US public sector and has fully implemented a "Passwordless Login" option for its MiLogin portal, which provides access to services like myHealthButton. This feature allows users to enroll their device and use biometrics (fingerprint, face scan) or a PIN to access their accounts without a password.

Australia has been a global leader in adopting passkeys for government services.

Yes! The Australian government has fully implemented passkeys for its myGov portal, which is the gateway to essential services like the Australian Taxation Office (ATO) and Medicare. The rollout was announced in late 2023 and launched in mid-2024. The myGov website provides extensive documentation for users on how to create and manage passkeys using biometrics, device PINs, or physical security keys.

Adoption across Europe is varied, with the UK making significant progress and the EU planning a large-scale digital identity framework.

The UK government's passkey support is in development. In 2025, the government announced plans to roll out passkey technology for its GOV.UK One Login service to replace the current, less secure SMS-based verification system. The National Cyber Security Centre (NCSC) is actively exploring and encouraging this transition, with the goal of making passkeys an option for all citizens to access government services. The NHS is noted as one of the first government bodies in the world to offer passkeys to its users.

No. Germany's national identity platform, BundID, does not yet offer passkey support. The system currently relies on a tiered authentication model using either a username and password, an ELSTER tax certificate, or the high-assurance electronic ID (eID) function of the national identity card.

Yes! Germany's Federal Employment Agency (Bundesagentur für Arbeit), including its Jobcenter portals, has fully implemented passkeys. Rolled out in early 2025, the system allows users to log in securely with a passkey instead of a password. Citizens can use their device's biometrics (fingerprint, face scan) or a PIN for a faster and more secure login experience. The setup is managed within the user's account settings, and it is offered alongside other secure methods like BundID and traditional password with TOTP.

No. FranceConnect does not directly offer passkeys. It is a federated identity system that allows users to log in to various government services using existing credentials from partner providers like the tax authority (Impots.gouv.fr) or the postal service (La Poste). It simplifies access but relies on the security of the original account, which is typically a username and password.

Passkey adoption in the Asian public sector is still emerging, with most national ID systems relying on other technologies.

No. India's Aadhaar system, one of the largest digital identity programs in the world, does not use FIDO passkeys. Accessing the e-Aadhaar document requires a password derived from the user's name and birth year, and online verification relies on One-Time Passcodes (OTPs) sent to a registered mobile number.

No. Japan's national identity system does not currently use passkeys in the modern FIDO2/WebAuthn sense. The system is built on a Public Key Infrastructure (JPKI) where the user's electronic certificate is stored on the IC chip of their physical "My Number Card." While this is a form of public-key cryptography, it is distinct from the user-friendly, device-based passkey systems being adopted elsewhere.

No. Indonesia is developing a national digital ID called Identitas Kependudukan Digital (IKD), which will be integrated into a single sign-on portal called INA Pass. However, the current system relies on passwords and biometrics for verification and does not yet support FIDO passkeys.

No. Singapore's national digital identity, Singpass, does not currently support FIDO passkeys. It uses its own mobile app for authentication, which requires a fingerprint, face scan, or a 6-digit passcode. It also supports SMS One-Time Passwords as a 2FA method.

Outside of the US, passkey adoption in the Americas is still in its early stages.

No. The Government of Canada's GCKey service does not offer passkey support. It operates on a traditional model requiring a username and password, followed by a mandatory two-factor authentication step using either an authenticator app or a one-time code sent to an email address.

No. Brazil's central government portal, Gov.br, does not appear to offer passkey support. The system relies on a traditional email and password login, and its national identity program is focused on the issuance of a new biometric national ID card.

Digital identity initiatives are growing across Africa, but FIDO passkey adoption is not yet widespread.

No. Nigeria recently launched its NINAuth mobile app to serve as the official platform for verifying the National Identification Number (NIN). While it is a modern digital identity solution, it functions as a dedicated app for authentication and is not based on the FIDO passkey standard.

Yes, many government organizations that are adopting passkeys also explicitly support or recommend hardware security keys. These physical keys are a form of "device-bound" passkey and are considered the gold standard for security.

Key insights:

• High-Security Standard: US agencies like the Cybersecurity & Infrastructure Security Agency (CISA) refer to FIDO security keys as the most secure form of multi-factor authentication.
• Supported by Early Adopters: Government platforms that have implemented passkeys, such as Australia's myGov and the US's Login.gov, allow citizens to register and use hardware security keys.
• Recommended for High-Risk Users: Hardware keys are often recommended for government employees, contractors, or citizens who require the highest level of protection for their accounts.

Governments worldwide are moving toward passwordless authentication to provide citizens with secure and easy access to digital services. This transition is driven by the need to defend against cyber threats, reduce administrative costs, and increase digital participation.

The move away from passwords in government services is happening gradually. Most public sector organizations are implementing a hybrid model during the transition:

1. Current state: Passkeys are offered as an optional alternative to traditional usernames and passwords. This allows tech-savvy citizens to adopt the new technology while ensuring those less comfortable can continue using familiar methods.
2. Near future: A "passkey-first" approach will become more common, where passkeys are presented as the default and recommended login method, with passwords available as a fallback.
3. Long-term goal: A fully passwordless experience for accessing government services, where passwords are no longer used, dramatically increasing security and simplifying access for all citizens.

For citizen-facing services, the primary goal of passwordless authentication is to increase accessibility and trust. Passkeys are ideal for this because they:

✅ Are built into the smartphones and computers that most citizens already use.

✅ Do not require citizens to remember complex passwords for different government portals.

✅ Provide a faster and less frustrating login experience, encouraging more people to use digital services.

✅ Are inherently phishing-resistant, protecting citizens from common scams.

For internal government systems and employees, the focus of passwordless authentication is on maximum security and compliance with strict regulations. Passkeys are being adopted to:

• Secure access for government employees and contractors, especially those who may not be eligible for traditional smart cards (like PIV cards in the US).
• Align with "Zero Trust" security architectures, which require strict verification for every access request.
• Provide a secure and efficient way for employees to access multiple government IT systems with a single, phishing-resistant credential.

The public sector is increasingly recognizing that passkeys are the future of digital identity for citizens and government employees alike. This shift is driven by the clear and compelling benefits that passkeys provide:

• Phishing-resistant security: Protecting sensitive citizen data and national infrastructure from the most common form of cyberattack.
• Improved citizen experience: Making it easier and faster for people to access the essential services they need.
• Significant cost savings: Reducing reliance on expensive SMS verification and lowering the high costs of help desk support for password resets.
• Regulatory alignment: Meeting the requirements of modern cybersecurity mandates that call for strong, phishing-resistant multi-factor authentication.

As more governments lead by example, passkeys are set to become the standard for secure and accessible digital public services worldwide.