Australia’s portal, myGov, is one of the first digital government services in the world to implement passkey. Passkeys are more secure than passwords because firstly, they are phishing-proof. Secondly, because there is no shared secret (password) between the website and the user, a data breach at the website will not require their passkey users to change anything related to their authentication.
Also, logging in with a passkey is far more convenient than the password. There is only 1 click involved when signing in with a passkey! At the myGov login page, click on “Sign in with passkey”. Then show your face or fingerprint to your device and you will be magically logged in.
There is no need to mess around with typing in passwords and multi-factor authentication (MFA). Underneath the deceptively simple convenience, your device and the website are performing a machine-to-machine cryptographic challenge-response protocol to authenticate your identity. This protocol will only be performed if the domain of the website is correct, which means a phishing website will not be able to deceive your device.
But to take advantage of what Passkeys offers, you have to set it up. To do so,
- Sign in to myGov with your password and MFA.
- Under “My account”, click on “Account settings”.
- Under “Passkeys”, click on “Manage”. You may need to authenticate in this step.
- Click on “Create passkey” and follow the prompts.
Tips
Below are some tips that will make your life much easier in future.
Turn off the password after you create the passkey
After you create a passkey, myGov will give you the option to turn off the password for signing in.
The whole point of passkeys is to eliminate passwords to increase your cybersecurity. So, I would do that.
3 passkeys allowed to be stored
myGov allows you to create and store up to 3 passkeys. This is useful if you want to use 3 different passkeys stored in 3 different platforms for your convenience.
For example, you can create each passkey in your
- Apple iCloud Keychain on your iPad
- Google Password Manager on your Android phone
- Windows PC
This way, you can conveniently log into your myGov account on these 3 devices. Otherwise, to log in, you will need to scan a QR code displayed on the device that does not contain the passkey (e.g. Linux PC) with your device that already contains the passkey (e.g. Android phone). You can still sign in, but it is very troublesome.
When to remove a passkey in your myGov account?
When you remove a passkey from your myGov account, it can no longer be used to sign into your account.
This is very important for your cybersecurity. For example, if a passkey is stored in your work Windows laptop and you need to return that laptop to your corporate IT, then you need to remove that passkey from your myGov account so that it can never ever be misused to sign in to your myGov account.
Descriptive Label
After you create a passkey, myGov allows you to give it a more descriptive label. To do that, click on the “Edit” button of the passkey and you can change the label to something else.
What description should you use when you create the passkey?
The descriptive label should be according to where the passkey is stored. For example, if the passkey is stored in your Apple iCloud Keychain, give it the “iCloud Keychain” label. If you store the passkey in Bitwarden, give it a “Bitwarden” label. If the passkey is stored in your work Windows laptop, then give it a “XYZ Company Windows laptop” label.
Giving your passkeys a descriptive label will make your life much easier in future when it comes to managing the passkeys associated with your myGov account. In the example above, if you need to remove the passkey stored in your work Windows laptop, you will know which one to remove from your myGov account. You can only do that if your passkeys are given descriptive labels.
You only need 1 passkey if it is synced
For example, if you have multiple Apple devices (e.g. iPhone, iPad and MacBook), you only need 1 passkey. You do not need a separate passkey for each device. That is because Apple will sync that 1 passkey across all your Apple devices through iCloud Keychain.
Similarly, if you use Bitwarden to store your passkey, you only need 1 passkey. Bitwarden will ensure that 1 passkey will be synced across all your devices that use the same Bitwarden account.
Pitfalls to avoid
Here are pitfalls to avoid when using passkey:
Windows 11 does not sync passkeys!
Currently, unlike Apple and Google, Microsoft’s Windows 10/11 does not offer a cloud-syncing solution for passkeys. If you store a passkey in your Windows 10/11 machine, it stays in that machine. That passkey cannot be exported or backed up. While it is good for cybersecurity, it also means that if your Windows machine is lost, or damaged or the operating system is reinstalled, that passkey is lost forever. That means if your myGov account has only 1 passkey and it is the one stored in your Windows laptop, then you will not be able to log into your myGov account!
Don’t throw away your password!
Even if you disable your password for signing in, you still need your password to manage your passkeys. So do not throw it away (forget) yet!
If your device has no biometrics, passkey login will fail
Due to a quirk in the WebAuthn specifications and myGov’s implementation, if you create a passkey on a device with biometrics and use that passkey on a device without biometrics, your passkey sign-in will fail.
For example, let’s say you create a passkey on your iPhone secured with FaceID. You can sign in to your myGov account on your iPhone with that passkey. Then that passkey is synced to your Mac Pro or Mac Mini via iCloud Keychain. Since the Mac Pro or Mac Mini does not have any biometrics, if you try to sign in to myGov on your Mac Pro or Mac Mini with the same passkey, it will fail.
In this situation, you have a few solutions:
- Set up your myGov account with MyGovID and use “Sign in with Digital Identity” option instead of passkey.
- Get a hardware security token like the Yubikey and create a separate passkey in it.
- Get an Apple Magic Keyboard with TouchID to give your machine biometrics capability
This is a problem that only myGov can fix by tweaking some changes on their end.
Remove the secret questions
As I wrote in my book, I have disdain for using answers to secret questions for cybersecurity purposes. They are weak links in your cybersecurity. They should be abolished.
I would suggest that you remove as many of them as possible. myGov does not allow you to remove all of them, unfortunately. For the ones that remained, I recommend that you turn the answers into random passwords and store them in your password manager.
To do that, go to “My account” > “Account settings” and click the “Manage” button under “Secret questions”.
Conclusion
I am mostly pleased with myGov’s implementation of passkeys. It is the best implementation of passkeys I have ever seen.
My only critique is that the answers to secret questions should be abolished. Or at least allow the user to remove all of them.
For the paranoid
If you are an advanced user, you may want to store your myGov passkeys in hardware security tokens like the Yubikeys. Make sure you create multiple passkeys stored in multiple tokens and label them descriptively.
While it is less convenient, it certainly will increase your cybersecurity even further.