This big bank plans to kill the password by 2030
By Sumeyya Ilanbey and David Swan
One of Australia’s largest banks expects to finally kill off passwords for internet banking within the next five years, replacing the security measure with passkeys and biometric recognition technology.
National Australia Bank chief security officer Sandro Bucchianeri said passwords were “terrible” and becoming increasingly risky in a digital world where cybersecurity breaches are more widespread and identity theft is on the rise.
NAB chief security officer Sandro Bucchianeri at NAB’s cybersecurity centre, called the Fusion Centre. Credit: Eddie Jim
He said NAB had already rolled out passkey technology, a cryptographic key designed to replace passwords, at its digital-only subsidiary Ubank, and expected the wider bank to follow suit within three to five years’ time.
“What we’re trying to do in security is a very fine balance between security and usability,” Bucchianeri said.
“If I go too much on the security, the end user will find an easier way – such as post-it notes – to try and get in because it’s just too difficult. And if I make it too user-friendly … then I will compromise the security.”
Passwords are seen as a poor security measure because people tend to use weak ones, write them down and reuse them on various websites. Whereas passkeys are digital credentials that allow users to authenticate without a username or password, instead using cryptography to generate a code.
Users can then sign in using a fingerprint, PIN or facial recognition technology.
Bucchianeri said identity and credential theft had been increasing year-on-year via phishing emails that ask people to provide their name, email address and a password to log in to, or set up, an account.
“And most users use the same password for everything, and because of that they will then try and use that password to get into your banking accounts, your brokerage accounts, and all of those kinds of things,” he said.
Todd McKinnon is chief executive and co-founder of Okta, a publicly traded US identity software firm worth about $US14 billion ($22 billion).
For McKinnon, passwords are “no one’s ideal method”. Passkeys represent a far superior option for both businesses and consumers, he said, despite having their own pitfalls given the technology is still in its relative infancy.
“Passkeys are exciting,” McKinnon told this masthead. “I think the adoption is still relatively early, and everyone knew that the hard part would be cross-machine compatibility.
“The thing [with] passkeys is that you can replace the actual password but the real test of it is when you have to get a password for a credential that’s forgotten, and how do you restore that, and how do you respond? How does the helpdesk respond when you have to reset it,” he said.
Like all big businesses around the world, NAB has substantially increased its technology spend to thwart cybersecurity attacks, of which it receives more than 50 million a month, Bucchianeri said.
While cybercriminals have not penetrated NAB’s digital systems, Bucchianeri said they have been attacking smaller, less secure, businesses that provide services to large organisations, such as the bank, to get their hands on critical data and people’s personal information.
The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.