From passwords to passwordless: building Australia's next cybersecurity frontier

Over the past decade, we’ve seen major technological innovation in Australia and across the world in areas such as artificial intelligence, quantum computing, and renewable energy. However, one crucial practice has stayed the same: passwords.

They have become a default option for both individuals and organisations, with over 300 billion passwords currently being used globally. Yet passwords are responsible for 83% of global data breaches, and in Australia, compromised credentials were the primary cause of cyber incidents in FY2023–24.

So, why isn’t there more urgency to address outdated password practices – and where can organisations begin?

With 1 May marking World Password Day, it’s the perfect time to reflect on this question. For Australia to secure its future in the digital age, the transition to a passwordless model will be essential. However, it will require organisations to move away from old habits, outdated technology, and traditional approaches to cybersecurity.

The cost of hanging onto the past

Despite the availability of more secure technologies, many organisations continue to rely on passwords as their primary method of authentication. This reliance is becoming an increasing liability, exposing businesses to various forms of vulnerability. While practices like regular password changes and multi-factor authentication (MFA) have traditionally been viewed as safeguards, they are no longer sufficient in protecting against sophisticated cyber threats.

Passwords remain the weakest link in the security chain, vulnerable to aggressive hacking techniques such as phishing and ‘credential stuffing’, where stolen username and password combinations are used in an automated process to log into multiple accounts. And while the media may report on a few prominent cases, in reality there are millions of password-related hacks which happen under the radar.

Moreover, the ongoing dependence on passwords is becoming a significant business expense. This is due to the complexity of managing passwords. As businesses grow, so does the number of passwords they must secure, each tied to different access rights and maintenance activities. The associated costs are considerable — businesses worldwide spend an average of US$1 million annually on managing passwords — making it more than just an IT problem.

Transitioning to passwordless

The answer lies in passwordless authentication, a technology that eliminates passwords entirely by relying on public-key cryptography. With this system, the user’s device stores a private key, while the corresponding public key is stored by the service provider. When a user attempts to log in, their device uses the private key to sign a challenge from the server, verifying their identity without transmitting a password.

Passwordless authentication is significantly more secure than traditional methods. Unlike passwords, which can be easily stolen or phished, the private key is stored on the user’s device and cannot be intercepted or replicated. This reduces the attack surface for hackers, as there are no passwords stored in databases that can be compromised. Additionally, because the user never enters a password, there is no risk of using weak or reused passwords, which are common entry points for attacks.

In CIAM circles, there’s lively discussion about whether passkeys — FIDO-compliant credentials stored on a user’s device and unlocked with on-device biometrics – should fully replace passwords. While passkeys still rely on public-key cryptography, they differ from ‘MFA-plus-password’ models because they eliminate the knowledge factor altogether. This distinction matters: passkeys remove phishing risk entirely and streamline log-ins, but they also require careful device-management policies to avoid lock-out scenarios.

Operational success in a passwordless world

Successfully adopting passwordless authentication goes beyond technology and requires strategic adjustments to IT operations. Once passwordless systems are in place, businesses must ensure their identity and access management strategies remain robust and adaptable. Real-time visibility into authentication patterns and access requests will be critical to detecting potential breaches early and ensuring compliance.

One of the primary challenges will be ensuring seamless access across multiple devices. With more employees working remotely – 36% of employed Australians worked from home in 2024, up from just 5% in 2016 — businesses need to ensure that authentication solutions are flexible and secure on every device, whether it’s a smartphone, laptop, or other connected device. This also means that businesses must have a detailed understanding of how employees interact with their devices and systems, enabling them to proactively manage access and identify any unusual patterns.

Another consideration is scalability. As organisations grow, their cybersecurity strategies must grow with them. Businesses that adopt passwordless authentication will need to continuously refine their systems, ensuring they scale to accommodate more users and devices while maintaining a high level of security. This means regular system updates, ongoing education, and adapting to emerging threats.

Passwordless authentication is also more cost-effective than traditional methods. Without the need for extensive password management tools, helpdesk support, or security training, businesses can reduce overhead costs. Employees also experience fewer interruptions due to forgotten passwords, resulting in a more efficient workforce. This creates a more agile organisation, able to respond to business needs faster.

Australia’s opportunity to lead

The benefits of passwordless authentication are clear: it reduces the risk of breaches, improves operational efficiency, and creates a smoother user experience. By embracing passwordless authentication, Australian companies can differentiate themselves in the global marketplace, attract top talent, and build trust with customers who expect security in every interaction.

However, this transformation will require decisive action. Businesses must not only invest in the necessary technology, but also commit to cultural and operational change. Education will be key, as employees and customers alike need to understand the benefits and implementation of passwordless solutions.

By embracing this new frontier, Australia can build a more secure and resilient digital economy, one that’s ready for the challenges of tomorrow.

*Mary Attard is a Managing Director at Accenture, where she leads the Security Practice for Australia and New Zealand, specialising in cloud and application security, identity and access management, enterprise platform security, and data and AI security. With almost a decade of experience in the cybersecurity field, Mary is passionate about helping other cybersecurity leaders navigate the dynamic threat landscape and translating ideas and concepts into practical solutions.

Top image credit: iStock.com/ArtemisDiana