Which Superannuation Funds in Australia offer passkeys?

Passkeys are transforming how Australians can securely access and manage their retirement savings without the need for passwords. As the superannuation industry continues its digital transformation, the first funds are beginning to implement passkeys to enhance security for members, combat the growing threat of phishing and fraud, and improve the overall digital experience. This article covers which Australian superannuation funds currently support passkeys and why this technology is the future for securing your retirement nest egg.

Passkeys are a secure, passwordless authentication method based on the FIDO2 and WebAuthn standards. They offer a faster and safer way for members to access their super accounts by replacing traditional passwords with biometric authentication (like a fingerprint or facial recognition) or a device-based credential (like a PIN or screen lock pattern). Currently, UniSuper is a notable pioneer, having started to roll out passkeys to its members. Most other funds are in various stages of evaluation or continue to rely on other security methods like SMS codes. These institutions are looking towards passkeys to provide phishing-resistant security, reduce operational costs, and build member trust in their digital platforms.

• Passkeys prevent phishing and fraud: Superannuation accounts are high-value targets for cybercriminals. Passkeys are inherently phishing-resistant, as the underlying cryptographic key is bound to the fund's official website or app, preventing members from being tricked into giving away their credentials on fraudulent sites.

• Better user experience for members: The quick and simple login process using familiar device unlocking methods (e.g., Face ID, Touch ID, Windows Hello) makes it easier for members to check their balance, review investments, and manage their account. For most members, no extra hardware is needed, simplifying the process.

• Passkeys reduce operational costs for funds: Passkeys can decrease a fund's reliance on costly SMS-based two-factor authentication (2FA). They also lower the burden on call centres by reducing the high volume of password reset requests and account lockout incidents.

---

Superannuation funds are adopting passkeys to address the critical need for stronger security measures to protect members' retirement savings. Traditional passwords and even SMS-based 2FA are vulnerable to sophisticated phishing and social engineering attacks, which can lead to unauthorized access and fraudulent withdrawals. Regulatory bodies like APRA are increasingly focused on the information security controls of funds, pushing them to adopt stronger, more resilient authentication methods. Passkeys, based on the global FIDO2 and WebAuthn standards, directly meet this need by using public-key cryptography. This ensures no passwords or secrets are stored on servers where they could be stolen, making member accounts significantly safer.

• Phishing Resistance: Passkeys authenticate users without sharing secrets. The credential is cryptographically tied to the super fund's specific domain, rendering it useless on fraudulent sites.

• Support across devices: Passkeys allow members to use the devices they already own, like smartphones, tablets, and laptops, to securely access their accounts. Synced passkeys can be used across a member's devices, providing a seamless experience.

• Improved User Experience (UX): Passkeys provide a frictionless login process, reducing the frustration of forgotten passwords and making it easier for members to engage with and manage their retirement savings online.

The following provides an overview of the passkey support status for major Australian superannuation funds, based on available information. Adoption is still emerging but is expected to grow.

While the industry is moving towards stronger authentication, only a few pioneers have fully embraced passkeys for member accounts.

Yes! UniSuper is one of the first super funds in Australia to introduce passkeys. The fund is progressively rolling out this feature to its members to provide a more secure and convenient login experience.

Key highlights:

• Implementation: UniSuper began its phased rollout in mid-2025. New members are prompted to set up a passkey when they first register, while existing members are being notified of their eligibility to enroll.

• How it works: Members can use their device's built-in security, such as Face ID, fingerprint, or a PIN, to log in to their online account without needing a password.

• Optional for now: While strongly recommended for its security benefits, using a passkey is currently optional. Members can continue to log in with their password and an SMS verification code if they prefer.

UniSuper Passkeys

Yes, the WA Government's superannuation fund GESB (Government Employees Superannuation Board) offer passkeys since August 2025 for its roughly 250,000 members. They introduced passkeys in a phased appraoch, meaning that right now it's optional to use passkeys. In 2026, they'll move onto the next phase where all users will be mandated to either use a passkey or an authenticator app.

Rest Super's passkey support is currently in development. While the fund has introduced mandatory multi-factor authentication (MFA) using a 6-digit code sent via SMS, it is reportedly working on implementing the more advanced and secure passkey standard.

No. Allianz Retire+ does not currently support passkeys. The client portal uses standard username and password authentication, while the adviser portal includes SMS-based verification.

No. AMP Super does not currently offer passkey support. Logging in to My AMP requires a username and password, with password recovery handled via email or SMS. The AMP mobile app supports PIN and biometric authentication for convenient access, but this is separate from FIDO2 passkey technology.

No. Australian Food Super (formerly AMIST Super) does not currently offer passkey support for web logins. While the fund's mobile app supports biometric authentication including face recognition for convenient access, this is limited to the app experience and does not extend to FIDO2 passkey support.

No. Australian Retirement Trust does not currently support passkeys. The fund has launched a multi-factor authentication (MFA) feature for Member Online, which members can enable to better protect their accounts, typically using SMS or email verification codes.

No. AustralianSuper does not currently offer passkey support for member login. To enhance security, the fund has rolled out multi-factor authentication (MFA), which requires members to enter a six-digit verification code sent via SMS to their registered mobile number when logging in. Their mobile app also supports biometric login with a PIN, Touch ID, or Face ID, but this is separate from the FIDO passkey standard for web logins.

No. AvSuper, which merged with Australian Retirement Trust (ART) in May 2024, does not support passkeys. Members now access their accounts through the ART platform, which requires multi-factor authentication using SMS or email verification codes but has not yet implemented passkey technology.

No. Aware Super does not currently offer passkey support. The fund has implemented an extra security step for logging in, requiring members to enter a code sent via SMS to their registered mobile number after entering their password. The Aware Super app supports biometric login, but this does not extend to passkey support for their web portal.

No. Brighter Super does not currently offer passkey support. The fund has implemented mandatory multi-factor authentication requiring verification codes sent via SMS or email for secure login. The Brighter Super app supports PIN and biometric authentication for convenience, but this is separate from passkey technology.

No. BUSSQ does not currently support passkeys for member login. However, the fund has taken a progressive approach to security by offering members the option to use more secure app-based multi-factor authentication.

No. CareSuper does not currently offer passkey support. The web portal requires members to use mandatory two-factor authentication with verification codes sent via SMS or email. The CareSuper mobile app allows members to set up a PIN for quicker access, but this is separate from passkey technology.

No. Cbus Super does not currently offer passkey support. Access to the online account portal requires a username and password.

No. Colonial First State does not currently offer passkey support for its FirstNet member portal. The login process uses a Member ID (OIN) and password, with password resets verified by a secure code sent to a mobile number.

No. CSC, which manages super funds for Australian Government employees and members of the Defence Force, does not currently offer passkey support. The fund has implemented multi-factor authentication (MFA) for enhanced security, though the specific MFA methods vary by portal.

No. ElectricSuper does not currently support passkeys. While the fund has introduced a "new login process" that adds extra security layers including mandatory SMS-based verification codes, it has not yet adopted the FIDO2 passkey standard for passwordless authentication.

No. Equip Super (operated by Togethr Trustees) does not currently offer passkey support. The login process requires a password followed by additional verification through SMS and email codes, providing multi-factor authentication without the convenience and enhanced security of passkeys.

No. ESSSuper does not currently support passkeys for its Members Online portal. The fund uses traditional password-based authentication with optional SMS-based two-factor authentication for enhanced security.

No. Fiducian Portfolio Services does not currently offer passkey support. The investor login portal uses traditional username and password authentication. Members interested in enhanced security should ensure they use strong, unique passwords for their accounts.

No. Fire and Emergency Services Super Fund (FES Super) does not currently support passkeys. The Member Login portal relies on traditional password-based authentication methods without FIDO2 passkey capabilities.

No. First Super does not currently offer passkey support. The FirstOnline member portal uses standard password authentication for member access. Members should follow the fund's security recommendations for creating strong passwords.

No. Future Super does not currently support passkeys. However, the fund has implemented mandatory multi-factor authentication using authenticator apps, which represents a significant security upgrade over SMS-based verification and demonstrates their commitment to member account security.

No. GuildSuper (managed by Guild Trustee Services) does not currently offer passkey support for web logins. While the Member Online portal supports app-based biometric authentication for mobile users, this convenience feature is separate from FIDO2 passkey technology.

No. HESTA does not currently support passkeys for its main online account portal. The HESTA app allows members to log in using a PIN or biometrics like Face ID and fingerprint ID, but this is an app-specific feature and not a FIDO passkey.

No. Hostplus does not currently support passkeys for its Member Online portal. The fund has implemented multi-factor authentication requiring members to enter a verification code sent via SMS, email or voice call after entering their member number and password.

No. LegalSuper does not currently support passkeys. The fund has introduced multi-factor authentication through Okta for its MemberAccess portal, providing enhanced security through app-based verification rather than passkeys.

No. Mercer Super does not currently support passkeys. The fund uses multi-factor authentication, sending a unique verification code via SMS or email to verify a member's identity during login.

No. MIESF (Meat Industry Employees Superannuation Fund) does not currently offer passkey support.

No. MLC Super Fund, which is part of Insignia Financial, does not currently support passkeys for member login. The login process requires a Member ID or username and a password.

No. NESS Super does not currently support passkeys for web access. The MemberAccess portal requires a member number and password for login, with the mobile app offering biometric authentication as a convenience feature separate from passkey technology.

No. Netwealth Superannuation Services does not currently offer passkey support. The fund has implemented mandatory multi-factor authentication requiring SMS verification codes for all logins.

No. NGS Super does not currently support passkeys. The fund has implemented mandatory multi-factor authentication.

No. Prime Super does not currently offer passkey support. Notably, the fund has implemented different security levels for different user types - the employer portal requires authenticator app-based MFA while the member portal uses standard password authentication, though passkeys are not yet available for either.

No. REI Super does not currently support passkeys. The fund has implemented multi-factor authentication for enhanced security and maintains a cyber safety page to educate members about online security best practices.

No. SA Metropolitan Fire Service Super Scheme does not currently offer passkey support. The fund implemented standard code-based multi-factor authentication in 2019 but has not yet transitioned to FIDO2 passkey technology.

No. SAS Trustee Corporation (State Super NSW) does not currently support passkeys. Members access their State Super accounts through the Pillar services platform using traditional password-based authentication methods.

No, Spirit Super does not currently offer passkey support and relies on traditional login methods.

No. Super SA does not currently offer passkey support. The member login portal requires mandatory SMS-based two-factor authentication for security but has not yet implemented passkey technology.

No. Team Super (which includes members from the former Mine Super following their 2025 merger) does not currently offer passkey support. The fund requires mandatory multi-factor authentication at login using verification codes, but has not yet implemented passkeys.

No. TelstraSuper does not currently support passkeys. The fund has made multi-factor authentication mandatory at login for all members, requiring verification codes for access, demonstrating a strong commitment to security while not yet adopting passwordless authentication.

No. Vanguard Super does not currently offer passkey support. The fund uses traditional password-based authentication with two-factor authentication at login for enhanced security, but has not yet implemented FIDO2 passkey technology.

No, Vision Super does not currently offer passkey support and relies on traditional login methods.

No. Zurich Financial Services Australia does not currently offer passkey support for superannuation accounts. The My Zurich portal uses traditional password-based authentication for member access.

Support for hardware security keys (like YubiKeys) is directly tied to a fund's adoption of the FIDO2/passkey standard. Since these keys are a form of "device-bound" passkey, they can only be used with funds that have implemented passkey authentication.

Key insights:

• Early Adopter Support: Funds that have implemented passkeys, such as UniSuper, typically also support the use of physical security keys as a high-security login option.

• Limited Industry-Wide Support: For the majority of super funds that have not yet adopted the passkey standard, hardware security keys cannot be used as a login method.

• Gold Standard Security: For members of funds that do support them, hardware keys offer the highest level of security, as the credential can never be copied from the physical device.

The Australian superannuation industry is beginning to transition towards passwordless authentication to protect members' life savings from the growing risk of phishing, fraud, and credential theft. Driven by regulatory pressure for stronger security and member demand for easier digital access, funds are looking to modern solutions like passkeys to replace outdated and vulnerable password-based systems.

The shift away from passwords in the superannuation sector is expected to happen in phases to ensure a smooth transition for millions of members:

1. Current state: A hybrid model is emerging, where pioneering funds like UniSuper offer passkeys as an optional, superior alternative to passwords and SMS codes. Most other funds remain on legacy password and SMS 2FA systems.

2. Near future: More funds are expected to introduce passkeys, initially as an opt-in feature. They will likely encourage adoption by highlighting the security and convenience benefits.

3. Long-term goal: A fully passwordless experience for managing superannuation, where passwords are no longer the primary method for logging in, significantly raising the security standard across the industry.

For individual members, passkeys offer a far more secure and user-friendly way to manage their super. Unlike other security methods, passkeys often:

✅ Do not require members to purchase any additional hardware.

✅ Are built into the smartphones and computers that members use every day.

✅ Can work seamlessly across a member's personal devices through cloud sync.

✅ Provide a fast, familiar, and frictionless login experience using a fingerprint or face scan.

Given these advantages, passkeys are set to become the preferred standard for securing member accounts, offering a powerful combination of security and convenience.

The adoption of passwordless authentication for employer portals may proceed at a different pace. This is due to factors such as:

• The need for integration with diverse payroll and business software systems.

• Corporate IT security policies that may have their own established authentication methods.

• The need to manage access for multiple authorized users within a single business account.

While passkeys are ideal for securing these portals, their rollout may be more gradual and tailored to the specific needs of business users.

The Australian superannuation industry is moving towards a passwordless future, driven by the clear need for stronger security. Passkeys provide:

• Phishing resistance: Fundamentally protecting members' retirement savings from credential theft.

• Faster login times: Improving the member experience and reducing friction when accessing account information.

• Cost savings: Reducing operational expenses for funds related to SMS codes and password-reset support calls.

• Industry alignment: Following global FIDO standards for secure authentication, as adopted by the world's leading technology companies and financial institutions.

As passkey adoption grows, members will increasingly expect this level of security and convenience from their super fund. By embracing passkeys, funds can meet these expectations while significantly strengthening the protection of their members' financial future.