4iT IT Support Sydney | Your Reliable Sydney IT Support Partner

MFA

Passkeys for Australian SMEs: a practical 2026 rollout guide

Insights & News Passkeys for Australian SMEs: a practical 2026 rollout guide May 4, 2026 Passkeys are FIDO2-based phishing-resistant credentials that replace passwords for sign-in. They’re now mainstream across Microsoft 365, Google Workspace, all major Australian banks, and most enterprise SaaS, and represent a meaningful security upgrade over password+SMS or password+TOTP authentication. For Australian SMEs in 2026, the practical question isn’t whether to adopt passkeys but how to roll them out without breaking the workforce. The straightforward path: enable passkeys alongside existing MFA on Microsoft Entra and Google Workspace, train staff to enrol their devices as passkey authenticators, and gradually phase out SMS-based MFA over 6-12 months. Key facts Passkeys are based on FIDO2 / WebAuthn standards and replace passwords with cryptographic keys stored on the user’s device. Passkeys are phishing-resistant: a passkey for one site cannot be used on a fake version of that site, unlike passwords or even TOTP codes. Microsoft, Google, Apple, and the four major Australian banks all support passkeys as of late 2025. Microsoft Entra (formerly Azure AD) supports passkeys for Microsoft 365 sign-in via the Microsoft Authenticator app or hardware keys. SMS-based MFA is deprecated in security guidance from ASD, NIST, and most security frameworks; passkeys are the recommended replacement. Passkey adoption requires device-level support: iOS 16+, Android 9+, Windows 10/11 with Windows Hello, or macOS Ventura+. What is a passkey and how is it different from a password? A passkey is a cryptographic credential pair: a public key registered with the service you’re signing into, and a private key that stays on your device. When you sign in, your device proves it has the private key without ever sending it. There’s no password to type, no code to enter, no shared secret that can be phished. Passkeys solve the two biggest problems with passwords. They can’t be reused across sites (each passkey is unique to one service), and they can’t be phished by a fake version of the legitimate site (the cryptographic challenge only works against the genuine domain). From a user perspective, a passkey sign-in looks like Touch ID, Face ID, or a Windows Hello PIN prompt. The user proves they’re physically present with their device, and the device handles the cryptographic conversation with the service. No typing of long random strings, no fishing through SMS messages. Why are passkeys better than password plus MFA? Most SMEs in 2026 use password + MFA via SMS, TOTP authenticator app, or push notification. Each of these has known phishing-vulnerable failure modes. SMS MFA can be phished via real-time relay attacks (the attacker collects the password and SMS code and uses them within seconds), bypassed via SIM swap fraud, or intercepted via SS7 telecom vulnerabilities. ASD’s guidance has discouraged SMS MFA for sensitive accounts since 2022. TOTP codes from Google Authenticator or similar are phished the same way SMS codes are: a malicious site asks for the password and the code, then uses both immediately on the legitimate service. Push notifications are slightly better but vulnerable to MFA fatigue attacks (the attacker spams the user with login prompts until the user accidentally approves one). Microsoft introduced number-matching to mitigate this, but it’s still possible. Passkeys close all of these attack paths. The cryptographic challenge is bound to the legitimate domain, so a phishing site can’t generate a valid prompt. There’s nothing for the user to “type wrong” or accidentally approve. The credential is never transmitted, even encrypted, so SS7 or SIM swap attacks don’t apply. For SMEs with valuable data, the upgrade is genuinely meaningful. How do you roll out passkeys for a Microsoft 365 SME? For Microsoft 365 environments (which covers the bulk of Australian SMEs), the rollout sequence is well-defined. 1. Enable passkeys in Microsoft Entra. In the Microsoft Entra admin centre, under Authentication methods, enable Passkey (FIDO2) for the relevant user groups. Microsoft Authenticator can act as a passkey authenticator on iOS and Android devices, and physical FIDO2 keys (YubiKey, Feitian) work for hardware-key scenarios. 2. Pilot with technical staff first. Roll out to IT, security, and one or two engaged users from each business team. They’ll discover the edge cases (legacy applications, third-party SaaS that doesn’t yet support passkeys, devices that fail to enrol) before the broader rollout. 3. Update conditional access policies. Configure Entra Conditional Access to require passkey for high-risk sign-ins, sensitive applications, and admin accounts. Keep password+MFA as a fallback during transition. Once passkey adoption is high, tighten policies to require passkey for the full user population. 4. Communicate and train. Most users adapt quickly to passkeys (it’s easier than passwords once enrolled), but the enrolment moment needs explanation. A 5-10 minute walkthrough video, plus desk-side support during the rollout week, makes the difference between a smooth rollout and a frustrated workforce. 5. Phase out SMS MFA. Once 80%+ of users have enrolled at least one passkey, start the SMS MFA deprecation. Some users will need exceptions (devices that don’t support passkeys, legacy applications), but the goal is to get SMS-based authentication off the standard path within 12 months. What are the practical challenges of passkey rollout? Three real-world challenges that catch SMEs off guard. Cross-device sync. Passkeys can sync across a user’s devices via iCloud Keychain (Apple), Google Password Manager (Android), or Microsoft Authenticator (cross-platform). The challenge is that users mixing ecosystems (iPhone with Windows desktop, or Android with Mac) sometimes have surprising sync gaps. The pragmatic answer is to enrol two passkeys per user, one per primary device, rather than relying on sync. Shared accounts. Passkeys are designed for individual users, not shared accounts. SMEs that have a shared “info@” or “accounts@” mailbox accessed by multiple staff need to migrate to delegated access (Microsoft 365 shared mailboxes) before rolling out passkeys, or maintain a fallback authentication method for those accounts. Most organisations should be doing this anyway, since shared passwords are a security and audit problem regardless. Account recovery. If a user loses their passkey-enrolled device and has no backup authenticator, they’re locked out. The

Cyber insurance for Australian SMEs in 2026: what insurers expect

Insights & News Cyber insurance for Australian SMEs in 2026: what insurers expect April 30, 2026 Australian cyber insurance underwriting has tightened significantly through 2024 and 2025, and most insurers will now decline cover or apply ransomware sub-limits to SMEs that don’t have multi-factor authentication, EDR on every endpoint, immutable backups, and basic Essential Eight maturity. Premiums have stabilised after the 2022-23 spike but cover is more conditional. The “tick-and-flick” application form has been replaced by detailed technical questionnaires and, for higher cover, evidence of controls. SMEs that haven’t invested in security controls increasingly find that cyber insurance is either expensive or unavailable. Key facts Australian cyber insurance premiums increased 50-100%+ between 2021 and 2023, driven by ransomware loss ratios; pricing has stabilised through 2024-2025. Most insurers now require MFA on email and admin accounts, EDR on every endpoint, and immutable or offline backups as minimum underwriting conditions. Ransomware sub-limits (cover capped well below the policy aggregate) are now common, particularly for SMEs without strong controls. War exclusions following Lloyd’s market changes have tightened, with state-sponsored attack scenarios sometimes excluded entirely. Reporting under the Cyber Security Act 2024 is now a policy condition for many insurers; non-reporting can void cover. Insurers increasingly request third-party security attestations (Essential Eight maturity assessment, ISO 27001, cyber security ratings) for cover above AU$1 million. What is cyber insurance and what does it cover? Cyber insurance covers financial losses and third-party liabilities arising from cyber incidents: ransomware, business email compromise, data breaches, business interruption following an attack, regulatory investigation costs, customer notification expenses, and legal liability arising from data exposure. Specific cover varies by policy, but most Australian SME cyber policies include first-party costs (incident response, forensics, business interruption) and third-party liability (claims by customers or regulators). What cyber insurance typically does not cover: pre-existing breaches not yet discovered, intentional acts by directors and officers, war and terrorism (where excluded), failure to maintain stated security controls (where the application form misrepresented the actual position), and claims arising from countries on sanctions lists. For Australian SMEs, typical 2026 policy aggregates run from AU$500,000 to AU$5 million for small and mid-market businesses, with annual premiums anywhere from AU$3,000 to AU$50,000+ depending on revenue, sector, controls, and claims history. Why is cyber insurance harder to get in 2026? Three forces have reshaped the market over the past four years. Ransomware loss ratios. Cyber insurers paid out aggressively on ransomware claims in 2020-2022, with global loss ratios in the 70-90% range across multiple years. The market response was inevitable: tighter underwriting, sub-limits on ransomware specifically, premium increases, and refusal to cover applicants without baseline controls. State-sponsored attribution complexity. Following the 2022 Lloyd’s market bulletin requiring revised war exclusions, most insurers tightened the language around state-sponsored attacks. The practical effect is that some major incidents that would have been covered in 2020 may now fall in the war exclusion, particularly if attribution to a state actor or state-sponsored group is established. Evidence-based underwriting. Insurers learned that application forms self-attesting to security controls didn’t predict claims accurately. The current generation of underwriting uses external security ratings, Essential Eight maturity assessments, and detailed technical questionnaires that are harder to bluff. Several insurers will require external scans of the applicant’s public-facing infrastructure as part of the application. What controls do cyber insurers require for SMEs in 2026? The required controls vary by insurer, but a common 2026 baseline for Australian SME cyber cover is: MFA on email, remote access, and admin accounts. This is universal. No serious insurer will issue cyber cover to an SME without MFA on Microsoft 365 or Google Workspace, on remote access (VPN, RDP, RMM), and on privileged accounts. Some insurers now also require MFA on customer-facing portals and finance system logins. EDR or next-generation antivirus on every endpoint. Traditional signature-based AV no longer satisfies most underwriting requirements. The expectation is behavioural detection (Sophos Intercept X, Microsoft Defender for Endpoint, SentinelOne, CrowdStrike) rather than signature-based. Immutable or offline backups. Insurers want evidence that ransomware can’t encrypt or delete the backups. The technical bar is typically immutable backups (Proxmox Backup Server with immutability, Veeam with hardened repositories, cloud backup with object lock) or air-gapped backups, with documented restore testing. Email security and phishing awareness. Email gateway protection (Mimecast, Microsoft Defender for Office 365), phishing simulation training, and DMARC/DKIM/SPF properly configured. Around 85% of Australian SME cyber incidents start with email. Patching discipline. Some insurers ask for evidence of patching cadence, particularly for internet-facing systems. Patching critical vulnerabilities within 14 days of vendor release is becoming common as a written requirement. How does Essential Eight maturity affect cyber insurance? The ASD Essential Eight has become a useful shorthand for cyber maturity in Australian insurance underwriting. Insurers don’t necessarily require formal Essential Eight assessments, but most ask questions that map directly onto the eight controls: application control, patch applications, configure Microsoft Office macro settings, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, and regular backups. For SMEs, hitting Maturity Level 1 across the Essential Eight typically satisfies most underwriting requirements. Maturity Level 2 (still affordable for an SME) typically improves premium pricing or unlocks higher cover. Maturity Level 3 is largely an enterprise concern but signals strong underwriting. For SMEs servicing government clients or regulated industries, an Essential Eight maturity assessment is increasingly contractually required, separately from cyber insurance. Doing the assessment once and using it for both insurance and customer due diligence is efficient. What should an SME do before applying for cyber insurance? Six practical steps that improve both insurability and security posture. 1. Document your controls before the application form arrives. Insurers ask the same 50-100 questions about MFA coverage, EDR deployment, backup architecture, patching cadence, and incident response plans. Writing these answers down once, accurately, is a one-week project that pays back across multiple insurance applications. 2. Close the obvious gaps before applying. If MFA isn’t on every email account, fix that first. If admin accounts are still using shared passwords, fix that. If

Scroll to Top