Does my bank support?

A look at the security and standards compliance of NZ banks


Bank Website Real Passwords Two Factor Auth (TOTP) Two Factor Auth (U2F) Two Factor Auth (Other) User accessible APIs
ANZ www.anz.co.nz OnlineCode SMS-based
ASB www.asb.co.nz [1] Netcode SMS or RSA physical token
BNZ www.bnz.co.nz [2] NetGuard look up table
Co-operative Bank www.co-operativebank.co.nz [9]
Kiwibank www.kiwibank.co.nz [3] KeepSafe Question / Answer
RaboDirect www.rabodirect.co.nz [4] [5] Digipass hardware token
TSB www.tsbbank.co.nz [6]
Westpac www.westpac.co.nz [7]

Key

Good support

Not supported, though a similar or mitigating option is

Not supported at all

No available information, if you can find out I would love to know


FAQs

Q: What is a "Real Password"?

A: Passwords should be case sensitive, allow special characters, and not artificially limited in length [8]. If you have a better term for this, let me know!


Q: What is two factor authentication?

A: Two factor authentication (or 2fa) is an additional security feature used when you login to ensure that you are in control of your account. This is commonly accomplished using Time based One Time Password (TOTP) apps like Google authenticator or Physical Tokens such as Yubikeys. Click here for a more detailed introduction to multi factor authentication.


Q: Is some 2fa better than no 2fa?

A: Yes. Definitely yes. Though some methods may be more susceptible to attack than others. New sites should support industry standards such as TOTP [1] and Fido/U2F [2]. SMS is no longer recommended due to ease of exploitation.


Q: What is an RSA physical token

A: RSA SecureId tokens are a vendor specific implementation of a Time based One Time Password scheme.


Q: What do you mean by user accessible APIs?

A: (Read only) APIs that any user or company providing a service to a user can utilize to query account and spending details on behalf of a user for analytics or any other purpose, with authorization provided using a standard user-centric method such as OAuth. Think, APIs that would let products like Xero be built, to put personal data for financial analysis in the hands of users.


Notes

Not all banks had public information about password requirements.

The risk of terrible passwords can be mitigated using login analysis which all banks do. Given your password is complex enough, the probability of brute forcing it prior to your account being locked is negligible.


[1] ASB do support RSA SecureID tokens (you will have to pay for it)

[2] BNZ now allow 60 character passwords! and a reasonable character range

[3] Kiwibank passwords are case insensitive (!!?) and have a maximum password length of 15 characters, with an additional challenge word on login

[4] RaboDirect appear to use a numeric PIN instead of a password for online logins, which is mitigated by [5]

[5] RaboDirect require Digipass challenge based second factor by Vasco

[6] TSB require 8-16 character passwords one letter and one number

[7] Westpac passwords are case insensitive (!!!?). source

[8] The NZ Information Security Manual (NZISM) part 2 section 16.1.21.C.01. requires passwords to be at least 10 characters, allowing lower and upper case, digits, and special characters.

[9] Co-operative bank's passworld policy requires passwords to be between 8-15 characters, containing at least 1 number and 1 letter. source