Carers ACT delivers quality carer interactions thanks to passwordless logins with the YubiKey 

Carers ACT needed to protect vulnerable Australians’ health information and meet evolving compliance requirements

Healthcare and social assistance is currently among the top five reporting sectors for cybersecurity incidents in Australia, with compromised accounts or credentials listed as the top exploit. For Thomas Pike, Information and Communications Technology (ICT) Innovation Lead for Carers ACT, a non-profit organisation whose purpose is to support and connect unpaid family and friend carers, this risk is something to be taken seriously.

“Account compromise is something which is hugely worrying for us,” says Pike. “We hold some of the most sensitive personal information you can and we take our responsibility in holding that information very seriously.”

Pike is responsible for supporting the daily operations and security of the ICT systems as well as finding innovative new ways to help carers, to support the mandate of Carers ACT, a part of the Australia-wide network of Carer Gateway service providers. For over 30 years, Carers ACT has provided a range of integrated services and support for individuals caring for family or friends in need of temporary or permanent help in the tasks of daily living, while conducting both local and national advocacy work to raise awareness of the needs of carers.

In the past several years, Pike has noticed increasingly sophisticated cyber threats, including spear phishing campaigns that target employees with malicious emails that appear to come from the CEO of Carers ACT. Threats also come from potentially insecure devices used by clients and other guests accessing guest WiFi systems while in their facilities.

To ensure high quality care and the safety of client data, the ICT department has undertaken a series of infrastructure improvements to increase system resiliency, security and improve system login experiences for support staff. Pike decided to replace cumbersome passwords and complex two-factor and legacy multi-factor authentication (MFA), such as SMS codes, with a FIDO security key to enable a secure, user-friendly passwordless experience for its support workers.

Having used and worked with YubiKeys at a previous organisation, choosing the YubiKey for Carers ACT was an “easy choice to make.” The YubiKey is a hardware security key that delivers phishing-resistant MFA and passwordless authentication, complying with Essential Eight Maturity Levels 2 & 3. Carers ACT began by rolling out the Security Key C NFC by Yubico which supports FIDO2/WebAuthn (device-bound passkeys) to all support staff to address cyber threats and enable a seamless and user-friendly login to shared devices.

With the Australian government continuing to encourage cybersecurity efforts and the adoption of phishing-resistant MFA for all businesses—with particular emphasis on critical infrastructure and health organisations—the Carers ACT YubiKey deployment is a future-proof investment toward shifting compliance requirements.

“As an organisation, and especially as an ICT department, we are very aware that we require health information to provide a safe and effective service. We spend a lot of time making sure our systems are responsive to those particular threats.”

Increasing infrastructure resilience with the YubiKey

Over the course of the last several years, Pike and the ICT team have invested heavily in infrastructure improvements to address evolving risk and to improve service delivery to carers. Carers ACT has reimplemented all their networks to improve access and to protect against cyber attacks. Carers ACT also leverages several Microsoft products to improve security and drive better experiences, including Microsoft Defender, Microsoft Intune for endpoint management and Microsoft Conditional Access for access control.

Microsoft Conditional Access is a feature of Microsoft Entra ID that allows for granular access control policies to enforce the use of phishing-resistant authentication (or the YubiKey specifically) to access Microsoft Entra ID-protected devices, applications and services. Pike uses Microsoft Conditional Access to create access controls based on user role. For support workers, this access is restricted to office locations on shared Microsoft Surface tablets.

As an established Microsoft environment, Pike was able to take advantage of out-of-the-box support for the YubiKey to streamline implementation. “One of the strengths of the YubiKey is the high availability of documentation to support implementation,” says Pike. “The YubiKey is standards-based and there are many well-documented use cases for how to implement FIDO2 logins.”

Thanks to the work already completed to modernise Carers ACT infrastructure, and the technical support information and guides provided by Yubico, the ICT team was able to implement YubiKeys quickly.

“I cannot say enough about the ease of implementation. We were able to implement the YubiKeys within just a couple of days.”

Going passwordless to reduce user friction and IT support costs

In the past, security and compliance requirements required Carers ACT to use complex passwords and deploy mobile MFA leveraging SMS or authenticator apps. These MFA implementations frustrated both users and the IT team.

“We were finding that our support workers are very talented in providing people support, but the added task of managing technology and consistently remembering usernames and passwords proved challenging,” notes Pike. “We ended up spending a lot of time on password resets or with users simply not able to log in due to platform issues.” In fact, the average company can expect 60% of IT service desk interactions to be related to password resets.¹

Even more important than reducing these hidden governance and support costs was the need to make the login process for staff much simpler, so they could seamlessly access devices and focus on providing quality care.

That efficient balance of security and compliance comes to life with the YubiKey, creating a passwordless login experience that leverages the highest-assurance security of device-bound passkeys. Support staff simply insert the YubiKey into the shared Microsoft Surface tablet and add a short, easy-to-remember PIN to securely authenticate to devices and have immediate access to Entra ID-protected environments.

Following a pilot program with select ICT department staff, all support workers were issued a YubiKey with basic training and on-hand assistance to register the YubiKeys and demo the improved login experience. “We are able to demonstrate to users that the login experience is going to be easier than what they did before,” shares Pike. “The reaction we’ve had has been glowingly positive.”

“It was important for us to design our ICT systems to be both secure and easy to use. The YubiKey has made the login process for our staff much simpler, allowing them to continue to focus on providing quality care.”

Looking ahead to stronger MFA across the organisation

For many years, choosing an MFA approach required trade-offs between security, user experience and productivity. After first-hand experience with the drawbacks associated with passwords and legacy MFA, the YubiKey provides Carers ACT with a high-assurance and user-friendly passwordless experience for its support workers. Looking to the future, Carers ACT plans to extend the YubiKey deployment across other parts of the organisation.