I know banks have to deal with the full spectrum of customers, but is Kiwibank going backwards?

KB standard login on PC has been password and KeepSafe (you know, What is Aunt Fanny's middle name type thing.) On mobile you could set biometrics and security pin (more on that later.)

Today when logging in on a PC it suggests; "If you have a verified New Zealand mobile number, using your mobile to verify your login is more secure than KeepSafe."

For the last month or two KB has suggested more and better security is coming, so I guess this is it. The full details are here: https://www.kiwibank.co.nz/help/online-banking/authentication/ 

The three choices are:

• Biometric login. Fine, been enabled on the mobile for yonks, but needs a 4 digit pin to be enabled. Besides, not much use on my PC.
• SMS one-time codes. This is new, and we know what to think on this one.
• Security code: Been on mobile for a while and is a 4 digit code to:

Enhanced security
    Security codes offer stronger protection than traditional passwords.

Simplify your login
    Security codes are shorter than passwords and easier to remember.

Errrr? Contradiction in terms here.

I've always had a beef on this one on the mobile. Once you have logged into mobile KB, to enable biometrics you MUST have enabled a 4 digit pin. Thereafter, you can login to mobile KB using biometrics OR the 4 digit pin, to me this is pretty crap security. How is a 4 digit pin more secure than a 16 character password for goodness sake?

Note that TOTP 2FA or passkeys are not options. I can understand why businesses like banks don't like making these compulsory, but they should at least be one of the options available for those of us that are more security conscious.

Govt advice: Your two-factor authentication methods – ranked - Own Your Online