VicRoads to phase out passwords in favour of passkeys

VicRoads is set to phase out passwords for its registration and licensing services as part of an effort to strengthen cyber security and streamline access for its 5 million users.

VicRoads' Igor Gjorgjioski at the AWS Public Sector Symposium

The consortium-run organisation has begun rolling out passkey authentication across its digital platforms, including the myVicRoads web portal, myVicRoads app, and myLearners app, with plans to replace the current multi-factor authentication (MFA) method.

The rollout is part of a phased approach, with VicRoads planning to mandate the adoption of passkeys by the end of 2025 and start removing passwords entirely from 2026.

Speaking at AWS Public Sector Symposium in Canberra, VicRoads’ head of digital channels and platform enablement Igor Gjorgjioski said rising telco costs, driven by users opting for SMS-based MFA, were a key driver behind the shift, alongside strengthening overall security posture.

“There have been many account breaches in Australia in past years, and passkeys are actually helping to improve security posture and protect customer accounts by being an efficient [attack] resistance and a form of MFA by design,” he said.

“Passkeys are way faster and provide a high-volume success rate, and most importantly, for our business, passkeys saved a lot of costs, as they are much cheaper in terms of operational costs compared to SMS one-time passwords in large-scale applications and organisations like ours.”

Improving the user login experience was also a key consideration, particularly given that VicRoads manages registrations for over 6 million vehicles.

“Passkeys help us to be more customer-centric, especially at a crucial point in the customer journey - when they log in,” Gjorgjioski said.

Three key considerations

Passkeys are essentially passwordless authentication methods that use biometrics on a person’s device, such as Touch ID, to authenticate a user.

VicRoads’ passkey solution is built on its existing Amazon Cognito identity and access management (IAM) platform.

The system is hosted within AWS’s cloud infrastructure, with the architecture supporting both passkeys and MFA that is synchronised using AWS Amplify SDKs across platforms.

Meanwhile, services such as AWS CloudHub, GuardDuty, CloudTrail, and SecurityHub provide integration, threat detection, activity logging and security management.

Before embarking on the project, VicRoads evaluated three critical factors.

The first, according to Gjorgjioski, was minimising disruption to users by avoiding a large-scale data migration or forced password resets.

The second was compliance with data sovereignty laws and, therefore, ensuring all data remains within Australia.

The final consideration was whether to adopt a commercial off-the-shelf solution or build a bespoke system in-house.

“We know that [building a custom solution] is resource-intensive, and we know that the standards are evolving, and we have to have someone to update all of that all the time,” Gjorgjioski said.

Conversely, though, Gjorgjioski was wary of introducing another vendor into VicRoads’ infrastructure with a new commercial product.

“However, we landed on an ideal solution and that was to partner with AWS and deliver [passkeys] on top of our Amazon Cognito IAM,” he said.

“We had a lightweight integration; prebuilt frontend components based on JavaScript that we can implement in our web and app, and a rapid adoption opportunity.”

A phased rollout

With the solution and infrastructure selected, VicRoads began scoping the transition to passkeys through an internal pilot “with hundreds of participants” - including the organisation’s CEO - over a month.

Overall, Gjorgjioski said: “Everybody loved passkeys, especially the simplicity, which was key to the success of a project.”

Using feedback from the pilot, VicRoads made improvements to the solution’s communication cues and user interface before beginning the rollout on its web-based channels at the beginning of this year.

According to Gjorgjioski, the organisation deliberately avoided a “big bang rollout".

“We didn't want to go fully out, and we wanted to make sure that customers are not overwhelmed or they're not surprised by what they're seeing the next time they're logging on to our website,” he said.

As such, Gjorgjioski’s team phased the rollout by operating system, starting with iOS, followed by Android and finally Windows, reaching an activation rate of 60 percent as of August.

In July, VicRoads then expanded the launch to its myVicRoads and myLearners applications, which, within less than a month, hit an adoption rate of 80 percent.

This, Gjorgjioski explained, was due to passkeys being “natively built” into mobile apps.

As of now, VicRoads has more than 1.6 million customers using activated passkeys.

Over the past seven months, the organisation has reduced password reset requests by 20 percent, while improving login speed by a factor of five compared to traditional MFA, he said.

Completely passwordless

With strong early adoption of passkeys, VicRoads is now looking ahead to the next phase: gradually phasing out passwords altogether.

The first step on this roadmap will come when passkey adoption hits critical mass, after which VicRoads will “mandate passkeys over any other authentication method”, Gjorgjioski said.

“Obviously, we want to go completely passwordless for maximum customer security and minimum data hold for us because less sensitive data to steal,” he said.

One way VicRoads plans to encourage adoption is by making passkeys the default verification method during account sign-up, thereby replacing traditional passwords from the outset.

The organisation is also developing new account recovery workflows built around facial recognition technology.

“If for some reason, you've been locked out of your account and haven’t set up the passkey, or you've changed your device, what we'll do is we'll encourage you to either use or download the app. That will ask you to provide an account credential, that can be a digital driver's licence number, phone number or an email.”

“Then, we'll do a face recognition and liveness check upon the account, so we can verify the image in the backend.”

He added that the entire recovery process would be handled within the app, removing the need for customers to contact support services.

With these adjustments in place, Gjorgjioski said VicRoads plans to start phasing out passwords from next year.

Measures to aid this process will include automated rules that prompt users to remove their passwords once passkeys are consistently in use.

Eleanor Dickinson attended the AWS Public Sector Symposium in Canberra as a guest of AWS.