Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
Please note this sub-forum does not provide professional finance advice. You should seek advice from a licensed financial advisor.

To post in this sub-forum you must have made 100 posts or have Trust status or have completed our ID Verification.

If investing please consider our affiliate link for new accounts: Sharesies.



ForumsFinance and wealth management2FA with banking app/web login
OldGeek

989 posts

Ultimate Geek
+1 received by user: 409

ID Verified
Lifetime subscriber

#323756 11-Jan-2026 16:38
Send private message quote this post

Having read about the ManageMyHealth data leak and the resultant implementation of 2FA with login, it seems clear that with logins/passwords regularly being hacked - users can no longer rely on password secrecy as a fundamental protection against unauthorised access to accounts.  Enter 2FA, which requires a hacker to be able to respond with a 2FA code to get into an account where the password is known.  This is unlikely unless they also have access to the 2FA device.

 

Accordingly I have concluded that using 2FA at login is not just a financial security issue but a privacy issue.  I am turning on 2FA wherever I have an online account and 2FA is available.

 

Colour me surprised that I cannot do this with the ANZ app or web logins.  Access is purely with customer number/password on the web or customer number/PIN or fingerprint with the app (and fingerprint is an optional alternative to a PIN, not a PIN replacement).  I questioned the ANZ about this and their response is that the use of Onlinecode is a form of 2FA.  I agreed with them but this protects users against unauthorised funds transfer and is therefore not equivalent to using 2FA at login.  The fact remains that anyone who gets hold of my customer number and password/PIN has access to my data.  This is not a good thing, and 2FA at login is intended to remedy this.

Am I missing something here?  Do the banks have unbreakable password encryption perhaps?




-- 

OldGeek.

 

Quic referal code: https://account.quic.nz/refer/581402 and use this code for free setup: R581402E48MJA

Filter this topic showing only the reply marked as answer Create new topic
jamesrt
1663 posts

Uber Geek
+1 received by user: 941

ID Verified
Trusted
Lifetime subscriber

  #3451905 11-Jan-2026 16:52
Send private message quote this post

Do you perhaps NOT have "Log on" checked on the OnlineCode preferences?

 

The menu option:

 

 

The options:

 

 

"Log on" is clearly an option.



freitasm
BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #3451906 11-Jan-2026 16:56
Send private message quote this post

2FA take many forms. TOTP (time codes that change every 30 seconds) is just one of them.




Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies 

 

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

 

Jase2985
13730 posts

Uber Geek
+1 received by user: 6202

ID Verified
Lifetime subscriber

  #3451908 11-Jan-2026 17:23
Send private message quote this post

jamesrt:

 

Do you perhaps NOT have "Log on" checked on the OnlineCode preferences?

 

The menu option:

 

The options:

 

"Log on" is clearly an option.

 

 

And while its great they have something, a text message is not great if you are travelling overseas, in spotty coverage or if your sim is spoofed, so someone other than you can receive it.



michaelmurfy
meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator
ID Verified
Trusted
Lifetime subscriber

  #3451910 11-Jan-2026 17:29
Send private message quote this post

Oh totally agree SMS is terrible.

 

But, SMS is one of those methods that is mostly foolproof for customers who have no idea how to use 2FA. I think a good implementation is BNZ with their app based push notifications but the initial login is still supported by SMS / Email as the majority of their customers can easily drive this.

 

I don’t see SMS or Email for 2FA going anywhere but we’ll likely see it supplemented with app based push notifications going forward. ANZ are already doing this with verified by visa (great!). 

 

2FA for banks and other mass market products needs to be mostly transparent to the end user.




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

freitasm
BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #3451911 11-Jan-2026 17:31
Send private message quote this post

And above all, if available, enable it, regardless of type.




Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies 

 

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

 

Linux
12173 posts

Uber Geek
+1 received by user: 8469

Trusted
Lifetime subscriber

  #3451914 11-Jan-2026 18:18
Send private message quote this post

Business I work for just before Christmas we disabled SMS MFA by policy (not banking or health)

 
 
 
 

Stream your favourite shows now on Apple TV (affiliate link).
OldGeek

989 posts

Ultimate Geek
+1 received by user: 409

ID Verified
Lifetime subscriber

  #3452024 11-Jan-2026 20:32
Send private message quote this post

You have all missed my point - there is no 2FA at login.  A hacker can view any amount of data on the account, simply by knowing the password and customer number.  Onlinecode simply prevents transactions being created - but does not prevent a beach of privacy or sanctity of identity.  Naturally I have Onlinecode enabled.




-- 

OldGeek.

 

Quic referal code: https://account.quic.nz/refer/581402 and use this code for free setup: R581402E48MJA

OldGeek

989 posts

Ultimate Geek
+1 received by user: 409

ID Verified
Lifetime subscriber

  #3452026 11-Jan-2026 20:42
Send private message quote this post

A followup - Onlinecode can be set to be used at logon for the web and works, but you can still log on to the app with just a PIN and no 2FA.  You can also log in to the app using a fingerprint and this to me is OK because a hacker wouldfind this difficult to circumvent.

I am primarily a web user, and my recollection of Onlinecode was that it could only e used to authorise transactions.  This has since been extended but this was not mentioned when I raised the issue with the ANZ.




-- 

OldGeek.

 

Quic referal code: https://account.quic.nz/refer/581402 and use this code for free setup: R581402E48MJA

freitasm
BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #3452027 11-Jan-2026 20:44
Send private message quote this post

There is an option in the list called "Log on". Isn't this to use at login time?




Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies 

 

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

 

michaelmurfy
meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator
ID Verified
Trusted
Lifetime subscriber

  #3452037 11-Jan-2026 22:22
Send private message quote this post

OldGeek: A followup - Onlinecode can be set to be used at logon for the web and works, but you can still log on to the app with just a PIN and no 2FA.

 

2FA (Onlinecode) is used to authorize your app in the first instance (setting up the app) and only after that you set a pin + biometrics. Your Smartphone is seen as trusted by any app out there and 2FA past this will provide zero security benefit.

I am primarily a web user, and my recollection of Onlinecode was that it could only e used to authorise transactions.  This has since been extended but this was not mentioned when I raised the issue with the ANZ.

 

This option has been there for as long as I remember. It is not a new feature.

 

I'd also like to point out 3 things:

 

1) We've already established Onlinecode is used for logging into the app for the first time and can also be enabled on Online Banking.
2) Additionally, there is also some pretty sophisticated behavioral based fraud analysis running on both the website and in the app along with other things like Voice ID.
3) If you lose your mobile then contact ANZ and they can remotely log it out of the app. You can also do this from any other device logged into goMoney:

 

 

There are quite a few layers of protection behind ANZ's Internet Banking + goMoney along with security and fraud teams working behind the scenes. You can check all of this here: https://www.anz.co.nz/banking-with-anz/banking-safely/fraud-protection/




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

OldGeek

989 posts

Ultimate Geek
+1 received by user: 409

ID Verified
Lifetime subscriber

  #3452152 12-Jan-2026 08:42
Send private message quote this post

Thanks to all - I was remiss in understanding the extent of protection available from the Onlinecode option.




-- 

OldGeek.

 

Quic referal code: https://account.quic.nz/refer/581402 and use this code for free setup: R581402E48MJA

Filter this topic showing only the reply marked as answer Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright