The ability to manage access permissions and prove someone truly is who they present to be has never been more important.

With Gartner finding the average desk worker logs on to 11 applications to complete their tasks, ensuring that only the right people are connecting with the right information sources has never been more critical.

As CSIRO CISO Jamie Rossato notes, “Anyone who's been in cyber as long as I have will know that it's important to understand who has access to what systems and what data and what resources. Is that appropriate? Is it expected? And is it within a context that's within appetite?”

The market for Identity and Access Management (IAM) solutions is already big business, with Fortune Business Insights estimating its value at US$19.8 billion ($31.0 billion) in 2024, but growing to US$61.7 billion ($96.6 billion) in 2032.

According to Forrester’s vice president and principal analyst for security and risk management, Andras Cser, much of that investment has been driven by concerns regarding fraud.

“The security aspects of identity have been shrinking, and user management aspects are increasing,” Cser said.

One of the key areas for investment has been into passwordless access solutions. The market for passwordless security technology is already estimated by Fortune Business Insights to be worth US$18.8 billion ($29.4 billion) in 2024 and growing to reach US$60.3 billion ($94.4 billion) by 2032.

According to Cser, there is a general movement away from anything password-based in favour of solutions based on the FIDO2 open standard for multifactor passwordless authentication, such as passkeys and one-time links.

“Passwords have run their course – they can be snooped, reverse engineered, written down, and the list goes on,” Cser said. “So what happens is that organisations silently deprioritise the password.”

While the overriding driver of growth in passwordless adoption is greater security, Cser said this didn't mean that adoption of passwordless technology comes without some resistance.

“It is almost always about customer experience,” Cser said. “Marketing people and salespeople don’t want to disturb the customer experience, so you have to do a lot of pilots and AB testing. Lots or organisations are happier to eat the costs of fraud loss than disturb the customer journey in large scale.”

The challenge of moving beyond passwords has been made mode difficult thanks to one high-potential technology – biometrics – having fallen out of favour for many applications, thanks to rapid advances in AI creating the ability to mimic voiceprints and other biometrics markers.

“(Biometrics) are almost always great for customer experience – especially facial,” Cser said. “The problem is in digital channels with deepfakes. But in a physical location, like an airport, then facial biometrics is a different story.”

The challenges of IAM aren’t just restricted to the human realm. Cser said one of the growing areas of activity was in Non-Human Identity (NHI) authentication, thanks to the rapid adoption of machine-to-machine communication, as well as programmatic and API-based calls. Interest in this technology would continue to grow as organisations adopted agentic AI systems, which could lead to complex and high-value interactions taking place with minimal human oversight.

“There is a huge need for privileged and machine identity management in the agentic AI conversation,” Cser said.

But while the interest in IAM was high, Cser said the rapid evolution of supporting technologies meant the challenges of updating new technology should not be underestimated.

UNSW targets ‘seamless, secure access’

UNSW is advancing an IAM strategy to support its growing ecosystem that includes external research partners, prospective students, and commercial organisations accessing university systems and educational resources.

Building on a successful implementation of single sign-on (SSO) and multi-factor authentication (MFA), the university is now focused on implementing a contemporary identity governance and administration (IGA) platform to streamline access management while maintaining strong security controls.

“Our priority is to provide seamless, secure access without adding complexity,” UNSW’s chief information security officer Derek Winter said.

“This next phase enhances automated provisioning, role-based access controls, and lifecycle management, ensuring users get the right level of access at the right time—securely and efficiently.”

By modernising its technology and automating processes, the university is enabling frictionless collaboration while safeguarding our digital assets.

SA Power Networks’ twin identity initiatives

Two of 12 key initiatives outlined in SA Power Networks’ recently released cyber security strategy for 2025-2030 [pdf] focus on identity: enhancing identity and access controls, and identity management. Already, the timeline for this work has been moved forward, compared to the dates in the strategy, reflecting the rapidly evolving threat landscape.

“We've got about 12-to-18 months of identity work that we’d planned to do, but had originally pushed into the second half of the strategy. We're now bringing it way forward,” head of cyber security and IT resilience Nathan Morelli said.

“We've got to shuffle initiatives around based upon incidents and what we’re seeing.”

In the previous five-year period, SA Power Networks - among other activities - embedded identity as a core capability of its cyber security function. “We integrated and embedded that capability into the team,” Morelli said.

The company’s identity infrastructure comprises SailPoint Technologies, Ping Identity and Microsoft Active Directory (AD), although Morelli said AD administration is highly automated. “We try to automate as much of the role allocation and role governance process as we can.”

Among the work, SA Power Networks is looking to “decentralise a lot of access management” to system and data owners, considering them to be best-placed to understand who needs what level of access. Cyber security would maintain a governance and education role in that model.

Protecting Melbourne Airport

For Melbourne Airport’s head of cyber security Cheuk Wong, the focus is on both physical and system access controls.

“We have four terminals and a whole bunch of supporting infrastructure, and an access control system that manages physical access across the entire precinct,” he said. 

“If that access control system were to go down, then we can't control access to critical areas of the airport.

“You don't want people breaking the system, changing access, or people giving access to different areas that may be sensitive to the airport.” 

Wong said that controlled access to IT systems and applications is also a key area of focus.

“ We've got automation so that when our HR system says an individual will be leaving the business at the end of the month, their account is terminated, cutting off access immediately. That removes the risk of any access being leftover,” he said.

“We plan to grow that system and then build more automations from a security and an efficiency perspective.”

University of Queensland looks to zero trust

At University of Queensland, IAM is viewed “as a business function and a business enabler, rather than purely as a security control,” according to director of cyber security and AUSCERT director David Stockdale.

“It is a foundational cornerstone of security, and we are currently working with the identity team to refresh our capability in this space and bring a stronger level of control into the authentication and authorisation,” he said.

“A good identity management capability is the foundation on which we will build a zero trust type architecture, in line with what the Australian Cyber Security Centre is recommending to many of the critical infrastructure providers in the country."

He added: “I'm excited at the proposed improvements in our identity and access management service, as this will really enable us to develop that zero trust approach to security.”

NAB progresses its passkeys rollout

NAB is expecting to phase out passwords for internet banking within the next five years, replacing them with passkeys and biometric recognition technology.

This process has already started at its digital-only bank Ubank. Since June 2024, Ubank’s new-to-bank customers have used passkeys to log into its banking app.

The technology is now being rolled out to existing Ubank customers as well, who now have the option to set up passkeys via their security settings.

Outgoing Ubank CEO Philippa Watson told a recent summit that while it will some time for people to understand passkeys technology, UBank "has seen a 90 percent uptake among its digitally active customers, who are now using passkeys as their preferred login method.”

“We’re seeing passkeys used more and more across large tech companies, some government agencies are using it, and I think there are a number of banks that have indicated that that’s the direction that they’re going as well,” she said.