Which Superannuation Funds in Australia offer passkeys?

Passkeys are transforming how Australians can securely access and manage their retirement savings without the need for passwords. As the superannuation industry continues its digital transformation, the first funds are beginning to implement passkeys to enhance security for members, combat the growing threat of phishing and fraud, and improve the overall digital experience. This article covers which Australian superannuation funds currently support passkeys and why this technology is the future for securing your retirement nest egg.

Passkeys are a secure, passwordless authentication method based on the FIDO2 and WebAuthn standards. They offer a faster and safer way for members to access their super accounts by replacing traditional passwords with biometric authentication (like a fingerprint or facial recognition) or a device-based credential (like a PIN or screen lock pattern). Currently, UniSuper is a notable pioneer, having started to roll out passkeys to its members. Most other funds are in various stages of evaluation or continue to rely on other security methods like SMS codes. These institutions are looking towards passkeys to provide phishing-resistant security, reduce operational costs, and build member trust in their digital platforms.

• Passkeys prevent phishing and fraud: Superannuation accounts are high-value targets for cybercriminals. Passkeys are inherently phishing-resistant, as the underlying cryptographic key is bound to the fund's official website or app, preventing members from being tricked into giving away their credentials on fraudulent sites.

• Better user experience for members: The quick and simple login process using familiar device unlocking methods (e.g., Face ID, Touch ID, Windows Hello) makes it easier for members to check their balance, review investments, and manage their account. For most members, no extra hardware is needed, simplifying the process.

• Passkeys reduce operational costs for funds: Passkeys can decrease a fund's reliance on costly SMS-based two-factor authentication (2FA). They also lower the burden on call centres by reducing the high volume of password reset requests and account lockout incidents.

---

Superannuation funds are adopting passkeys to address the critical need for stronger security measures to protect members' retirement savings. Traditional passwords and even SMS-based 2FA are vulnerable to sophisticated phishing and social engineering attacks, which can lead to unauthorized access and fraudulent withdrawals. Regulatory bodies like APRA are increasingly focused on the information security controls of funds, pushing them to adopt stronger, more resilient authentication methods. Passkeys, based on the global FIDO2 and WebAuthn standards, directly meet this need by using public-key cryptography. This ensures no passwords or secrets are stored on servers where they could be stolen, making member accounts significantly safer.

• Phishing Resistance: Passkeys authenticate users without sharing secrets. The credential is cryptographically tied to the super fund's specific domain, rendering it useless on fraudulent sites.

• Support across devices: Passkeys allow members to use the devices they already own, like smartphones, tablets, and laptops, to securely access their accounts. Synced passkeys can be used across a member's devices, providing a seamless experience.

• Improved User Experience (UX): Passkeys provide a frictionless login process, reducing the frustration of forgotten passwords and making it easier for members to engage with and manage their retirement savings online.

The following provides an overview of the passkey support status for major Australian superannuation funds, based on available information. Adoption is still emerging but is expected to grow.

While the industry is moving towards stronger authentication, only a few pioneers have fully embraced passkeys for member accounts.

Yes! UniSuper is one of the first super funds in Australia to introduce passkeys. The fund is progressively rolling out this feature to its members to provide a more secure and convenient login experience.

Key highlights:

• Implementation: UniSuper began its phased rollout in mid-2025. New members are prompted to set up a passkey when they first register, while existing members are being notified of their eligibility to enroll.

• How it works: Members can use their device's built-in security, such as Face ID, fingerprint, or a PIN, to log in to their online account without needing a password.

• Optional for now: While strongly recommended for its security benefits, using a passkey is currently optional. Members can continue to log in with their password and an SMS verification code if they prefer.

UniSuper Passkeys

Rest Super's passkey support is currently in development. While the fund has introduced mandatory multi-factor authentication (MFA) using a 6-digit code sent via SMS, it is reportedly working on implementing the more advanced and secure passkey standard.

No. AustralianSuper does not currently offer passkey support for member login. To enhance security, the fund has rolled out multi-factor authentication (MFA), which requires members to enter a six-digit verification code sent via SMS to their registered mobile number when logging in. Their mobile app also supports biometric login with a PIN, Touch ID, or Face ID, but this is separate from the FIDO passkey standard for web logins.

No. Australian Retirement Trust does not currently support passkeys. The fund has launched a multi-factor authentication (MFA) feature for Member Online, which members can enable to better protect their accounts, typically using SMS or email verification codes.

No. Aware Super does not currently offer passkey support. The fund has implemented an extra security step for logging in, requiring members to enter a code sent via SMS to their registered mobile number after entering their password. The Aware Super app supports biometric login, but this does not extend to passkey support for their web portal.

No. Hostplus does not currently support passkeys for its Member Online portal. Access requires a member number and password, with some app-based functions using SMS, voice call, or email for MFA.

No. HESTA does not currently support passkeys for its main online account portal. The HESTA app allows members to log in using a PIN or biometrics like Face ID and fingerprint ID, but this is an app-specific feature and not a FIDO passkey.

No. Cbus Super does not currently offer passkey support. Access to the online account portal requires a username and password.

No, Spirit Super does not currently offer passkey support and relies on traditional login methods.

No, Brighter Super does not currently offer passkey support and relies on traditional login methods.

No, Vision Super does not currently offer passkey support and relies on traditional login methods.

No. Mercer Super does not currently support passkeys. The fund uses multi-factor authentication, sending a unique verification code via SMS or email to verify a member's identity during login.

No. Colonial First State does not currently offer passkey support for its FirstNet member portal. The login process uses a Member ID (OIN) and password, with password resets verified by a secure code sent to a mobile number.

No. AMP Super does not currently offer passkey support. Logging in to My AMP requires a username and password, and password recovery is handled via email or SMS.

No. CSC, which manages super funds for Australian Government employees and members of the Defence Force, does not currently offer passkey support. Access to their member portals relies on a username and password, with some services using SMS codes for two-factor authentication.

No. MLC Super Fund, which is part of Insignia Financial, does not currently support passkeys for member login. The login process requires a Member ID or username and a password.

Support for hardware security keys (like YubiKeys) is directly tied to a fund's adoption of the FIDO2/passkey standard. Since these keys are a form of "device-bound" passkey, they can only be used with funds that have implemented passkey authentication.

Key insights:

• Early Adopter Support: Funds that have implemented passkeys, such as UniSuper, typically also support the use of physical security keys as a high-security login option.

• Limited Industry-Wide Support: For the majority of super funds that have not yet adopted the passkey standard, hardware security keys cannot be used as a login method.

• Gold Standard Security: For members of funds that do support them, hardware keys offer the highest level of security, as the credential can never be copied from the physical device.

The Australian superannuation industry is beginning to transition towards passwordless authentication to protect members' life savings from the growing risk of phishing, fraud, and credential theft. Driven by regulatory pressure for stronger security and member demand for easier digital access, funds are looking to modern solutions like passkeys to replace outdated and vulnerable password-based systems.

The shift away from passwords in the superannuation sector is expected to happen in phases to ensure a smooth transition for millions of members:

1. Current state: A hybrid model is emerging, where pioneering funds like UniSuper offer passkeys as an optional, superior alternative to passwords and SMS codes. Most other funds remain on legacy password and SMS 2FA systems.

2. Near future: More funds are expected to introduce passkeys, initially as an opt-in feature. They will likely encourage adoption by highlighting the security and convenience benefits.

3. Long-term goal: A fully passwordless experience for managing superannuation, where passwords are no longer the primary method for logging in, significantly raising the security standard across the industry.

For individual members, passkeys offer a far more secure and user-friendly way to manage their super. Unlike other security methods, passkeys often:

✅ Do not require members to purchase any additional hardware.

✅ Are built into the smartphones and computers that members use every day.

✅ Can work seamlessly across a member's personal devices through cloud sync.

✅ Provide a fast, familiar, and frictionless login experience using a fingerprint or face scan.

Given these advantages, passkeys are set to become the preferred standard for securing member accounts, offering a powerful combination of security and convenience.

The adoption of passwordless authentication for employer portals may proceed at a different pace. This is due to factors such as:

• The need for integration with diverse payroll and business software systems.

• Corporate IT security policies that may have their own established authentication methods.

• The need to manage access for multiple authorized users within a single business account.

While passkeys are ideal for securing these portals, their rollout may be more gradual and tailored to the specific needs of business users.

The Australian superannuation industry is moving towards a passwordless future, driven by the clear need for stronger security. Passkeys provide:

• Phishing resistance: Fundamentally protecting members' retirement savings from credential theft.

• Faster login times: Improving the member experience and reducing friction when accessing account information.

• Cost savings: Reducing operational expenses for funds related to SMS codes and password-reset support calls.

• Industry alignment: Following global FIDO standards for secure authentication, as adopted by the world's leading technology companies and financial institutions.

As passkey adoption grows, members will increasingly expect this level of security and convenience from their super fund. By embracing passkeys, funds can meet these expectations while significantly strengthening the protection of their members' financial future.