Passwordless Authentication for Australia: Which Method Fits Your App?

What if your app could verify an Australian user’s identity without asking them to do anything at all?

No password to remember. No OTP to wait for. No code to type. The user opens the app, and verification happens in the background within seconds – across Telstra, Optus, and TPG (Vodafone).

Biometrics, passkeys, magic links, Silent Mobile Authentication – they all kill the password. But they don’t all fit the same app.

For Australian businesses losing customers to login friction and losing money to scams – A$2.74 billion in 2023 according to Scamwatch – passwordless authentication isn’t optional. With APRA CPS 234 and the Scams Prevention Framework tightening expectations, the harder question is which method fits.

Why Passwords and SMS OTP Are Failing in Australia

Passwords have been the default for decades, but they remain the weakest link in account security.

Users reuse them across services. They forget them regularly. Account takeover (ATO) fraud exploiting stolen credentials is projected to cause $17 billion in global losses by 2025. In Australia, ACCC’s Scamwatch reported a record A$2.74 billion in scam losses for 2023, with identity-driven fraud a leading category.

SMS OTP was supposed to fix this problem. It added a second factor by sending a code to the user’s phone. However, OTP introduces its own set of issues.

SIM swap fraud grew 400% between 2018 and 2022 globally, and Australian carriers have moved to tighten port-out controls in response. Attackers convince carriers to transfer a victim’s number to a new SIM, then intercept every OTP sent to that number. Beyond fraud, OTP creates friction. Nearly 47% of consumers report frustration with delayed or mistyped codes. Every extra step in the login process is a chance for the user to abandon the session.

Read More: Authentication 101: MFA, Biometrics, What’s Next

Five Passwordless Methods at a Glance

Each method solves a different slice of the problem. A quick tour before the decision-making section.

• Biometrics: Fingerprint and facial recognition tied to the device’s secure enclave. Already familiar to Australian users through myGov and bank app sign-in.
• Passkeys (FIDO2): Cryptographic key pairs stored on the user’s device. Passkeys achieve a 93% login success rate compared to 63% for traditional passwords.
• Magic links: A unique URL sent to the user’s email. Clicking it completes the login. Simple, but depends on email delivery speed and inbox access.
• Authenticator apps: Time-based codes generated on a registered device. Strong against phishing once set up, but the manual step drives drop-off on mobile flows.
• Silent Mobile Authentication: Verifies the user’s SIM and device directly with Telstra, Optus, or TPG (Vodafone) in the background. No user input required. Works on any mobile device with an active Australian SIM.

Each method suits different contexts. The right pick depends on the app.

Read More: The Ultimate Guide to CPaaS Solutions for Fraud Prevention and Seamless Authentication

A Decision Framework for Australian Apps

Match the method to how your users actually use your product, not to a spec sheet. Five app archetypes cover most cases.

• Mobile-first consumer apps (Uber, DoorDash, Afterpay): Silent Mobile Authentication as primary. Friction is the binding constraint; drop-off compounds at every extra tap. Passkeys as secondary when the user is on Wi-Fi.
• High-value consumer transactions (CBA, Westpac, ANZ, NAB, crypto wallets): Layered. SMA for session verification, biometric challenge for transactions above a risk threshold – aligned with APRA CPS 234 and the Scams Prevention Framework.
• Enterprise B2B SaaS (admin consoles, developer tools): Passkeys as primary. Workforce devices support them consistently, phishing resistance matters more than zero friction, and hardware keys cover the highest-privilege accounts.
• Low-frequency consumer services (AGL, Origin, Medicare, ATO portals): Magic links are acceptable when logins are rare, and the inbox is already the notification channel. Upgrade if login frequency or fraud exposure climbs.
• Hybrid desktop-and-mobile apps (Woolworths, Coles, Atlassian): Passkeys for the account, device biometrics for returning sessions. Keep SMS OTP as a fallback rather than a primary, and plan to phase it out.

These recommendations reflect the current state of each method. As passkey support and SMA carrier coverage expand across Australia, the optimal mix will shift.

Common Passwordless Implementation Pitfalls

Most failed rollouts share the same handful of mistakes – and most are avoidable.

• Treating fallback as an afterthought. Every method fails sometimes. SMA needs cellular data; passkeys need a registered device; magic links need a working inbox. Design your fallback with the same care you give your primary – especially important for regional and remote Australia where mobile coverage varies.
• Assuming universal device support. Passkey sync works well on recent Apple and Android hardware, but breaks on older devices and some enterprise-managed endpoints. Check your device mix before committing.
• Measuring only login success, not the total funnel. A method can hit 95% on the login screen and still bleed users in recovery, device pairing, or the fallback queue. If you’re not measuring the full funnel, you’re measuring the wrong thing.
• Leaving recovery untouched. A passwordless front door with a password-style back door – security questions, reset links with no second check – inherits every vulnerability you just eliminated. Redesign recovery alongside the primary flow.
• Ignoring carrier coverage for SMA. Silent authentication depends on carrier-level integration. Coverage spans Telstra, Optus, and TPG (Vodafone) across Australia, but verify regional coverage if your users travel.

Adoption Patterns by Industry in Australia

Adoption curves differ by sector. Here’s where the momentum is – and what it means for your authentication roadmap.

Fintech and the Big Four banks in Australia are leading the shift. CBA, Westpac, ANZ, and NAB pair biometric challenges with device-level verification for high-value transactions, and SMA is gaining traction as a phishing-resistant primary – with SMS OTP retained only as a fallback.

Regulatory guidance from APRA’s CPS 234, combined with the Scams Prevention Framework and ACMA’s anti-scam rules, increasingly treats possession-based methods as a baseline. The Consumer Data Right (CDR) also raises expectations around strong customer authentication.

E-commerce is in mid-transition. Passkeys are gaining traction at checkout on mobile browsers, particularly where Apple Pay or Google Pay is already wired in. SMS OTP remains dominant for guest checkout flows, where fraud exposure is highest.

Enterprise SaaS has gone passkey-first for workforce authentication. Hardware security keys handle administrative accounts.

Customer-facing authentication in the same products often lags behind workforce authentication by a year or more.

Healthcare and government are the slowest adopters. Magic links and SMS OTP still dominate, though myGov’s myID rollout signals a national push toward passkey-aligned authentication. Passkey migrations are underway in regulated sectors.

Where 8×8 Fits in Your Passwordless Stack

You’ve picked your method. Now you need it to work – across Australian carriers, across the region, with a fallback that doesn’t make your users start over.

Zero-Friction Primary → Silent Mobile Authentication

When a user opens your app, 8×8 Silent Mobile Authentication routes a verification request to Telstra, Optus, or TPG (Vodafone) through a single API. The carrier confirms the SIM and device match the registered number and returns a result in seconds – no code, no tap, no friction. Your user is in before they notice anything happened. Coverage spans APAC and beyond through GSMA Open Gateway integrations.

 

Fallback When on Wi-Fi → Verif8

SMA needs a cellular connection. When the user is on Wi-Fi or the carrier check can’t complete, Verif8 steps in automatically. It generates and delivers OTPs across SMS, voice, and messaging apps like WhatsApp – one self-service integration that covers every fallback path, with built-in fraud monitoring to catch abnormal request patterns before they cost you.

 

 

Account Management and Recovery → Descope CIAM

Authentication events need somewhere to land. Descope CIAM – 8×8’s no-code customer identity platform – ties SMA verifications, fallback OTPs, and step-up challenges to a single user record. Sessions, account state, and recovery flows stay consistent regardless of which method handled the login.

Together, the three components give you a stack you can grow into: start with one primary method, add a fallback, and layer on risk-based step-up when transaction values justify it.

Ready to Rethink How Your Australian Users Sign In?

Passwordless is a set of choices, not a single switch. The right method depends on your users, your devices, and the risks you carry – especially under APRA’s CPS 234 and the Scams Prevention Framework.

Start with a zero-friction primary. Pair it with a fallback that doesn’t break the experience. Layer risk-based step-up where transaction values justify it. That’s the stack that scales.

Talk to 8×8 Australia about which combination matches your app, or take a deeper look at our SMA solution.