Why are banks still getting authentication so wrong?

Original Article ↗ Hacker News Discussion ↗

Everyday failures and hostile flows

  • Many describe absurdly complex or brittle login processes: 11‑step Canadian bank logins, guessing the right tax payee (“CRA” variants), in‑branch resets, or app flows that break on travel or SIM changes.
  • Banks and agencies routinely phone customers, then demand PII (DOB, SSN, address) or OTPs, directly contradicting their own “never share codes” training and normalizing scam patterns.
  • Phone calls are criticized as an unauthenticated, ephemeral, mishear‑prone channel still treated as a primary security medium.

SMS 2FA: default, fragile, and easily abused

  • SMS is near‑universal and simple, so banks lean on it despite known weaknesses: SIM swaps, roaming gaps, VOIP/prepaid blocking, and inconsistent delivery (especially cross‑border).
  • Some banks even verify users by texting OTPs to numbers supplied on the call, or by requiring card + PIN over the phone, effectively training customers to give away credentials.
  • A few note roaming “tricks” (receive SMS while data is off), but others argue this shouldn’t be a prerequisite for accessing money.

Examples of better (and worse) systems

  • Several European and Swiss banks use app‑ or device‑based challenge/response: QR codes plus a mobile app or hardware token that confirms exact transaction details.
  • Nordic countries, Belgium, Italy and others use bank‑ or state‑backed digital IDs (BankID, MitID, SPID, etc.), often with strong UX; some see this as solved, others fear centralization and surveillance.
  • In the US/Canada, support for TOTP or FIDO keys exists in pockets (credit unions, some brokerages, CRA), but SMS cannot usually be disabled.

TOTP, passkeys, hardware tokens: promise and friction

  • Many want banks to offer standards: TOTP, passkeys/WebAuthn, U2F keys, recovery codes. Complaints center on banks refusing to expose these or forcing SMS fallback.
  • Counterpoints:
    • TOTP setup and backup confuse non‑technical and elderly users; losing a phone often means lockout.
    • Passkeys and biometric flows are seen as conceptually opaque and poorly explained.
    • Hardware tokens are praised for security but criticized as lost, forgotten, or impractical at scale; multiple services vs one key is debated.

Recovery, passwords, and security theater

  • Password expiry policies and short max lengths are widely derided as outdated and counterproductive, driving weaker “Password1/2/3” schemes and sticky‑note passwords.
  • Recovery flows are often worse than auth: obscure phone numbers demanding SSNs, expensive archival statement fees, or app‑only paths that silently fail internationally.
  • Many see this as security theater driven by auditors, insurers, and legacy vendors, not by user safety.

Incentives and regulation

  • Commenters argue banks optimize for regulatory compliance, KYC/AML, and liability shifting, not user experience.
  • Fraud costs are often externalized (to merchants, consumers, or insurers), reducing pressure to modernize authentication unless regulators mandate it.