Get free passkey whitepaper for Australian organizations.

Get for Free

To protect against growing cybersecurity threats, the Australian government's national cybersecurity strategy has emphasized the adoption of passkeys as a key component. Passkeys offer the only viable solution for achieving phishing-resistant multi-factor authentication (MFA) for consumers.

In this article, we analyze Telstra’s implementation of passkeys, examining the technical implementation, product flows, and the strategic thinking behind this move. Our goal is to provide a comprehensive overview that educates software developers and product managers on how to implement passkeys following industry best practices, while providing some recommendations for further improvement of Telstra’s implementation.

In our detailed analysis of Telstra’s passkey implementation, several key findings highlight both strengths and areas for improvement. Here’s a concise summary of our observations:

Our Findings of Telstra Passkey Implementation:

• Upsell to Passkeys After Login with Password: After logging in on a passkey-ready device, Telstra prompts users to create a passkey.
• Passkeys are the preferred MFA Method: If a user logs in with a password and a passkey is available, passkeys are automatically used as the preferred MFA method.
• Identifier-First Passkeys: The user provides their identifier first, and Telstra’s backend determines whether to offer passkeys or fallback to password + SMS OTP.
• Correct WebAuthn Server Settings for Passkeys: WebAuthn server settings, including ceremony flags in the PublicKeyCredentialCreationOptions and PublicKeyCredentialRequestOptions, are correctly implemented, ensuring optimal passkey usage.
• Correct Error Handling in Safari Clamshell Mode: Telstra correctly handles errors related to User Verification in Safari’s clamshell mode, ensuring no reduction in security in this scenario.
• Implementation of Conditional UI (Passkey Autofill): Both the web (mobile and desktop) and native apps support Conditional UI, improving user experience.
• Good Email Notification Strategy: We were particularly impressed with the transactional emails sent for key actions, such as passkey creation or password deactivation.

In the following sections, we will go deeper into each of these points, exploring the implications and offering recommendations for improving passkey adoption and user experience in Telstra.

The table provides a good overview of Telstra’s passkey implementation of certain passkeys features. Features marked with a ⭐ are considered the top features of their category and are crucial for a great and secure passkey experience.

This section analyzes the product flows of Telstra’s passkeys across a variety of platforms, including web apps, as well as native Android and iOS apps. The availability of passkeys extends across all major operating systems - iOS, Android, macOS, and Windows.

The following parts analyze sign-up, passkey creation, passkey management, and login processes within Telstra’s passkey integration.

Subscribe to our Passkeys Substack for the latest news, insights and strategies.

Subscribe

A pure passkey-only sign-up on Telstra is currently not (yet) possible. Instead, users must confirm their account via SMS OTP and then provide a password. After completing these steps, they can add a passkey to their account.

As passkeys cannot be created in the account sign-up process, we need to create them via the promotional page in the login process or in the account settings.

For the following screenshots, we’re using a Windows 11 device and the Chrome browser.

1. Go to Profile

1. Scroll to Advanced security settings and select Set up or manage passkeys

1. Add your passkey by clicking on Create a passkey and use Windows Hello as local authenticator.

In the Passkeys page, we see the new passkey in the list on the bottom, with a pre-defined name (here “Win10 10/2024”), date for creation and last used date.

Let’s have a look at the passkey management capabilities. Therefore, we stay in this Passkeys settings page to analyze the different passkey management options.

As you can see, there are two “Win10 20/2024” passkeys, even though Telstra correctly checks that only one passkey per authenticator is created. The second one of them was created when using a hardware security key (e.g. YubiKey), but Telstra does not show the difference which could cause some serious confusion for users.

To rename a passkey, click on the Rename button, so that you can better distinguish them.

When trying to create multiple passkeys from the same passkey provider, we see that excludeCredentials is properly implemented and the creation of multiple passkeys on the same authenticator is prevented to avoid duplication of passkey creation.

Become part of our Passkeys Community for updates and support.

Join

A notable feature within the passkey management settings is the option to turn off Password authentication, what we do now by clicking on the corresponding toggle.

We confirm by clicking on Turn off in the appearing modal.

In parallel, the following email and SMS is sent out:

Afterwards, we’ll see this screen:

However, when trying to sign in subsequently, the Sign in with password button is still displayed:

When you click on the button, you end up in the known sign in screen and can provide a password. However, you will get the following error message when providing any password:

You have the option to turn on passwords again in the Passkeys settings:

In parallel, you will get his email and SMS notification:

Then, you can use both passwords and passkeys to sign in.

This implies that theoretically the passwords could still be breached and stolen from Telstra’s databases. However, the chance of getting the password phished decreases significantly.

Let’s take a deeper look at the login process.

Want to try passkeys yourself? Check our Passkeys Demo.

Try Passkeys

If you open the login page, you can log in either via Conditional UI or via regular passkey login. The former way is pretty straight-forward. You just select the passkey you want to use, use the local authenticator and you’re logged-in.

Non-Conditional-UI logins require to provide your username and a click on Continue. In the next screen, you have to decide if you want to Sign in with passkey or Sign in with password.

If no passkey is set up, the login screen shows directly only a password field:

After the click on Sign in with passkey, the local authenticator emerges, you authenticate and are redirected to the logged-in page.

Note, that in one of our tests, we switched the browser (from Chrome to Firefox in Windows 11) and could successfully log in to Firefox with the passkey from Windows Hello that existed (was created via Chrome). However, after successful passkey authentication, the promotional passkey screen to create a new passkey emerged. When creating one, it failed, as there was already a passkey existing on this platform. This could cause some real confusion for users and should be fixed.

In the following, you’ll see the login process for the native iOS / Android app in the screenshots. Also in the native iOS as well as the native Android app, you can use Conditional UI to log in seamlessly and with a single click and local authentication.

The login process appears in a WebView. After providing your identifier, you will see this screen:

Click on Sign in with passkey and use your local authenticator on the mobile device.

When you log in the first time on the mobile device (with password / SMS OTP), there is a promotional screen offering to create a passkey:

When you click on Create a passkey, then on iOS, Face ID / Touch ID will emerge and the equivalent on your Android device. After successful passkey creation, you’ll see the following screen:

Afterwards, you are redirected to the logged-in part. In all subsequent logins, you can click on the Sign in with passkey button to start the passkey login (or use Conditional UI).

If you want to log in on a macOS device using Safari in clamshell mode, you are prompted to provide credentials, so the clamshell mode does not bypass any security issue.

Conditional UI login is implemented in the web app (mobile + desktop) and in the native iOS / Android apps.

However, on iOS the Conditional UI login did not always work as expected as the password managers / passkey providers often suggested to use the password at first and only offered passkeys afterwards for autofill.

After QR hybrid login (cross-device authentication via QR code and Bluetooth), a creating a local passkey was suggested:

Simultaneously, an email with a notification is sent out:

That’s a pretty good feature to make sure that passkeys are available on all user devices.

Let’s have a brief look at the technical implementation details of Telstra’s passkey implementation.

Want to find out how many people can use passkeys?

View Adoption Data

At first, we analyzed Telstra’s PublicKeyCredentialCreationOptions. Our review revealed that Telstra requires the use of resident keys. It shows clearly that passkeys are favored and hardware security keys which only deal with non-resident keys are second degree. However, as described in this blog post, quite often the authenticator itself decides if it wants to use resident or non-resident keys.

Also, userVerification is required which shows that users should actively authenticate and attestation direct provides more insights into the used authenticators, mainly the AAGUID.

The Relying Party ID is set to “myid.telstra.com” and the Relying Party name is set to “Telstra”. The user.id is set a random and technical value, while the user.name and user.displayName are set to the email address (login identifier).

{
  "attestation": "none",
  "authenticatorSelection": {
    "residentKey": "required",
    "userVerification": "required"
  },
  "challenge": "fhokH-XwW2wBL1rmKoJopg",
  "excludeCredentials": [
    {
      "id": "OOm5pFsDUcmToXIYqrEHKOwtSskS0oOoDNvkT4XD8",
      "transports": [
        "internal"
      ],
      "type": "public-key"
    },
    {
      "id": "RMJBo4KA_ALdfNAxd5dnOrig",
      "transports": [
        "hybrid",
        "internal"
      ],
      "type": "public-key"
    },
    {
      "id": "YhCD_R3nNdf3hItLjWnce3Ug70O98",
      "transports": [
        "hybrid",
        "internal"
      ],
      "type": "public-key"
    }
  ],
  "pubKeyCredParams": [
    {
      "alg": -7,
      "type": "public-key"
    },
    {
      "alg": -257,
      "type": "public-key"
    }
  ],
  "rp": {
    "id": "myid.telstra.com",
    "name": "Telstra"
  },
  "user": {
    "displayName": "vincent.delitz@corbado.com",
    "id": "MTk0MGQxOWMtNWJkMS00NTlhI2NDEtOTU1ODYwNDYyYTZk",
    "name": "vincent.delitz@corbado.com"
  }
}

In the analysis of PublicKeyCredentialRequestOptions, the noteworthy element is the use of allowCredentials, which is filled with all the values for available passkeys of a device – independently if the device could access these passkeys or not.

{
  "allowCredentials": [
    {
      "id": "OOm5pFsDUcmToXIYqrEHKOwtSskS0oOoDNvkT4XD8",
      "transports": [
        "internal"
      ],
      "type": "public-key"
    },
    {
      "id": "RMJBo4KA_ALdfNAxd5dnOrig",
      "transports": [
        "hybrid",
        "internal"
      ],
      "type": "public-key"
    },
    {
      "id": "YhCD_R3nNdf3hItLjWnce3Ug70O98",
      "transports": [
        "hybrid",
        "internal"
      ],
      "type": "public-key"
    }
  ],
  "challenge": "oMyXbqjhiTKuhV8U7Aqmw",
  "rpId": "myid.telstra.com",
  "userVerification": "required"
}
 

• Get Recognition as Digital Leader: Telstra's integration of passkeys marks a big advancement in user-friendly cyber security for public services. By adopting passkeys, Telstra sets a precedent for the telecom sector in Australia. This bold move places Telstra at the forefront of cyber security practices, showcasing their dedication to protecting sensitive information while enhancing user experience.
• Ensure Future-Readiness By Adhering To Essential Eight Framework: by Australia's evolving cyber security legislation, such as the updated Essential 8 framework. This framework emphasizes the importance of phishing-resistant MFA, pushing organizations towards more secure authentication methods.
• Avoid Data Breaches My Disabling Passwords and Offering Phishing-Resistant MFA: As passwords can be entirely disabled (a very bold move!), password-based phishing attacks can be avoided and if passkeys become the standard login method for many users, these users are protected from phishing threats.
• Save Millions Per Year on SMS OTP Costs: If passkeys become the preferred MFA method, then we expect a high decline in SMS OTP costs, which we estimate to be in the millions per year for Telstra.
• Decrease MFA Recovery Costs: Recovering MFA protected user accounts is among the most user-unfriendly and cost-intensive processes. By pushing for (synced) passkeys, we expect the number of MFA recovery support cases to drop significantly, which could eventually be materialized in further savings for personnel and increase user satisfaction.

Why Are Passkeys Important For Australian Organizations?

Passkeys for Australian Government & Enterprises

The Australian Cyber Security Strategy and Essential Eight framework require organizations to implement phishing-resistant MFA (via passkeys). Our whitepaper provides an overview and shows how to implement passkeys efficiently and what the business impact is.

Download the whitepaper

Work email *

Name *

Company *

Job title *

Get whitepaper

If you have questions, feel free to  

contact us

Telstra has shown great courage by being among the first Australian companies to implement passkeys. Its passkey implementation is solid, and we only have one recommendation:

• Recommendation 1 - Reduce Manual Selection Between Passkey and Password for Users: If a passkey is available, the system should default to using it immediately, rather than requiring the user to manually choose between passkey and password.
• Recommendation 2 - Correctly Detect Hardware Security Keys: When creating a passkey with a hardware security key (e.g., YubiKey), the system should correctly detect and display it to the user. Currently, there’s no distinction between hardware security keys and platform authenticators in the passkey settings.
• Recommendation 3 - Improve Passkey Intelligence for Creating Passkeys on New Browsers: When switching to a new browser on a device that already has passkeys, the system sometimes prompts the user to create another local passkey, even though they have just logged in with a passkey. This can confuse users. Enhancing passkey intelligence to avoid unnecessary passkey creation prompts, particularly when promotional passkey pages are shown, is recommended.

In conclusion, Telstra's implementation of passkeys represents a forward-thinking approach to improve cyber security in the public sector. The current implementation shows strong technical foundations and also the UX and user communication is on a high level.

Moreover, the future-readiness is secured as passkey align with the national cyber security strategy and the Essential Eight framework.

We continue to monitor the implementation of passkeys at Telstra and keep you posted about any changes.