ChannelLife Australia - Industry insider news for technology resellers
Australia
International Women’s Day
385 opinions Read now

Guides

#
cloud services
#
cybersecurity
#
distributors
#
microsoft
#
partner programmes

Search

Geoff schomburgk
#
Data Protection
#
Digital Transformation
#
MFA

Why Australian superannuation funds need to prioritise security for their customers with strong MFA

Thu, 19th Feb 2026
By Geoff Schomburgk, Asia Pacific & Japan Vice President, Yubico

Superannuation is one of Australia's most trusted financial systems, with more than $3.7 trillion in assets under management. Yet as the sector's digital footprint expands, so too does its exposure to increasingly sophisticated cyber threats, such as phishing. Several high-profile breaches in 2025 have highlighted the vulnerability of Australians' retirement savings to credential theft and identity fraud.

Last year, a major cyberattack on Australian superannuation funds resulted in hundreds of thousands of dollars being stolen by hackers who used compromised passwords from six funds, including Australian Retirement Trust, AustralianSuper, Hostplus, Rest, and Insignia. Cybercriminals exploited weak or reused credentials to gain unauthorised access to customer accounts. This type of attack could have been prevented if modern phishing-resistant authentication had been mandated.

This highlights the urgent need for stronger digital defences across the financial services ecosystem. Superannuation funds hold not only vast sums of money but also sensitive personal data, making them a lucrative target. Despite these risks, many superannuation funds still rely on outdated two-factor authentication methods that provide only a thin layer of protection against today's sophisticated threats.

Modern cyber attacks are no match for passkeys

Despite their vulnerabilities to modern attacks like phishing, many businesses continue to rely on legacy multi-factor authentication methods, such as SMS-based one-time passcodes (OTPs). These weak authentication methods can be intercepted through SIM swapping, phishing or malware-in-the-browser attacks – all of which are now common techniques used by cybercriminals to bypass legacy MFA. 

Knowing these flaws, global momentum behind passwordless authentication and passkeys is growing rapidly, but Australian superannuation funds have been slow to adopt them. Many continue to rely on legacy two-factor authentication methods such as SMS-based one-time passcodes (OTPs). These weak authentication methods can be intercepted through SIM swapping, phishing or malware-in-the-browser attacks, all of which are now common techniques used by cybercriminals to bypass legacy MFA.

Passkeys, on the other hand, offer modern, phishing-resistant authentication that eliminates the reliance on passwords and the vulnerabilities they introduce. The result is a faster, safer and more user-friendly login experience that matches the expectations of today's digital consumers. 

By leading the charge in passkey adoption, Australia's superannuation sector is well-positioned to strengthen its cybersecurity defences and establish a new standard for secure, convenient customer experiences. This proactive step will protect these trusted financial institutions from evolving threats and demonstrate their commitment to innovation and customer trust.

The regulatory need for stronger authentication

Regulators are increasing their focus on cybersecurity and operational resilience across Australia's financial system. Since July 1st, superannuation funds must meet higher operational risk management standards, as new requirements from the Australian Prudential Regulation Authority (APRA) have come into effect. APRA's CPS 230 standard holds financial institutions responsible for strengthening their operational risk and information security frameworks. For superannuation funds, this means demonstrating not only compliance but also proactive measures to protect member data and assets.

Modern phishing-resistant MFA, including device-bound passkeys such as security keys, directly aligns with APRA's emphasis on effective control environments and risk mitigation strategies. These tools help reduce human error and eliminate the weakest link in the security chain: passwords.

In the wake of several recent cyber incidents, boards and executives within the superannuation sector are under growing pressure to justify their cybersecurity investments. Implementing phishing-resistant MFA is one of the most tangible ways to demonstrate compliance, meet regulatory expectations and protect customer trust.

Why customer experience and security can co-exist

One persistent myth about cybersecurity is that stronger protection means more friction for users; however, passkeys challenge this assumption. By removing the need to remember complex passwords or retrieve verification codes from secondary devices, passkeys simplify the login process while significantly improving security.

For fund members accessing their superannuation accounts, often infrequently but from multiple devices, simplicity is crucial. Passkeys deliver this by enabling secure, intuitive access across devices without compromising security. This balance between usability and security is particularly valuable for older Australians or less tech-savvy users who may struggle with password resets or SMS-based verification.

The superfund employee experience also improves. Internal staff managing sensitive member data can use hardware-based passkeys or security keys to securely access systems, eliminating the risks associated with password reuse or phishing attacks. This dual benefit strengthens overall security posture while improving operational efficiency.

Building customer trust through transparency: A call to action for the superannuation industry

Trust is at the heart of Australia's superannuation system. Yet repeated data breaches and identity theft incidents have eroded consumer confidence. Superannuation funds must therefore move beyond reactive cybersecurity measures and demonstrate leadership in the proactive and transparent protection of their members.

Communicating the benefits of passkeys, such as enhanced privacy, convenience and resistance to phishing, can help rebuild that trust. When members understand that their retirement savings are protected by world-leading authentication standards, their confidence in the institution deepens. By investing in passkeys, super funds send a clear message that member security is a top priority. 

For the Australian superannuation sector, the stakes are uniquely high, both financially and reputationally and this means passwords and SMS-based MFA are no longer sufficient. Australian superannuation companies have an opportunity to lead the way in redefining digital security for millions of Australians. By adopting phishing-resistant passkeys, they can protect members' hard-earned retirement savings, meet regulatory expectations and deliver a more secure and seamless digital experience.

Related stories
Alkira Connect partner programme targets AI-led growth
RecordPoint unveils MCP Server for governed AI data
Radisys & AccelerComm extend satellite 5G IoT reach
Distributors emerge as digital force in cloud & AI
Sahar Group selects Ramco for Black Hawk MRO digitisation

Top stories

Wordly adds live AI translation to Microsoft Teams
OpenAI launches Codex desktop app for Windows devs
Terra Security gains first AWS nod for AI threat tests
Celebrating the value of diverse perspectives on International Women's Day
MHP backs ADMARES digital factory for modular homes