SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Box hands child 2(2)
#
EduTech
#
Firewalls
#
Network Security

Cyberattack drives YubiKey demand in Australian schools

Tue, 3rd Feb 2026
Author image
By Joseph Gabriel Lagonsin, News Editor

Yubico has reported a sharp increase in demand for its YubiKey authentication devices from Australian public schools following a recent cyber incident.

The company said the incident prompted a renewed focus across the education sector as schools return for the new school year. It highlighted risks linked to account-based attacks. It also pointed to attacks aimed at large identity systems that contain long-lived credentials and inactive user accounts.

Schools and education departments typically administer large volumes of user identities for students, teachers, contractors and external partners. These identities often connect to email, learning platforms and administrative systems. Large numbers of accounts can also remain open after students leave, or after staff move roles.

"Education systems are prime targets because they manage vast numbers of user accounts containing sensitive data, many of which remain active long after students leave," said Geoff Schomburgk, Vice President for Asia Pacific and Japan, Yubico. "The start of the school year is a timely reminder that passwords alone are no longer sufficient, especially when inactive accounts can be exploited as entry points."

Account risks

Credential theft and phishing remain common entry points for cyber attacks across many sectors. Education environments often add complexity because they manage large cohorts of users who join and leave each year. They also rely on shared devices in classrooms and libraries. Many users access systems from personal devices and home networks.

Yubico said schools face heightened exposure where password-only logins remain in place. It said long-lived credentials can persist across multiple years. It also said inactive accounts can escape routine checks. Attackers can use these accounts for initial access and lateral movement once they gain credentials.

Hardware authentication

YubiKeys are physical devices that users plug in or tap during sign-in. Yubico said its keys use hardware-based authentication. The company said that method cannot be phished, replayed or intercepted. It said this remains the case even if login credentials are compromised.

Hardware authentication typically adds a second factor beyond a password. It can also support passwordless sign-in on systems that use modern authentication standards. Yubico said its approach has seen adoption across government, critical infrastructure and education environments.

The company said the Australian Cyber Security Centre strongly recommends phishing-resistant authentication within its Essential Eight guidance. The Essential Eight outlines baseline mitigation strategies for organisations, including controls around identity and access. Many Australian organisations use the guidance as a benchmark for cyber maturity programs.

"Phishing-resistant authentication closes off an entire class of attacks," said Schomburgk. "It protects both active users and dormant accounts, which are often the weakest link in large education environments."

Sector focus

Public education systems in Australia operate at scale. They often combine centralised identity systems with individual school administration. They also integrate third-party learning applications and cloud collaboration tools. Each integration increases the number of sign-in pathways that must be managed and monitored.

Schools also face pressure to keep systems accessible for students and staff. That can limit the ability to impose complex password rules or frequent password changes. It can also create support burdens where users forget credentials or change devices. Hardware-backed sign-in can reduce reliance on passwords, although it introduces procurement, distribution and lifecycle management considerations.

Yubico said it works with governments, enterprises and education providers globally on securing digital identities and reducing credential-based cyber threats. The company markets YubiKeys as a method for phishing-resistant sign-in. It also positions the devices for use across both high-volume and high-risk environments where account takeover attempts can have broad impact.

Yubico operates from Stockholm and Santa Clara. It sells into more than 160 countries and participates in industry authentication standards, including FIDO2 and WebAuthn. The company said its passkey technology forms part of its broader approach to modern authentication across sign-in and account recovery.

"The start of the school year is a timely reminder that passwords alone are no longer sufficient, especially when inactive accounts can be exploited as entry points." said Schomburgk.

Yubico said it expects continued interest from Australian schools as they review authentication controls and account management practices after the incident.

Related stories
Fime opens Melbourne lab to bolster SoftPOS security
Object First triples growth on ransomware-proof backups
Telehouse Europe appoints Chris Lamb as Enterprise Director
Study finds 28,000 fake domains mimic top websites
Bitsight unveils dark web tool to secure supply chains

Top stories

Kyndryl unveils policy-as-code guardrails for AI agents
Genetec adds case investigation tools to Security Centre SaaS
Gigamon named 2026 public sector observability leader
SmarterMail flaw exploited in China-linked ransomware push
Hackers ditch noisy ransomware for stealthy data theft