Token login verification


I currently use a token for one of my banks and to be honest it is the account I feel safest logging into.

The code on the tag changes every 30 sec or so and is required as a third step or second password if you like.

My other banks app uses my fingerprint to login. However, whenever anything happens to my phone, like resetting it or replacing it. I end up having to change my password because my fingerprint has gone and I’m so used to not putting in a password it’s forgotten.

I don’t mind fingerprint at all. The token however has never caused me the same problem.

Incase nobody knows what I’m talking about :rofl: google RSA SecurID. It can’t cost Suncorp too much to run, as it costs me a one off fee of $20 every 5 yrs.

Just a thought :relieved:


I don’t mind tokens too much, but would prefer Google Authenticator or similar so that I could use it on a few devices in case I don’t have my token handy I’m always likely to have a phone or laptop handy.

But appreciate that it feels more secure having MFA enabled!


I have a healthy mistrust of google, but that aside I can understand how billions of others don’t, and it won’t stop me playing Pokémon Go. :rofl:

I’m completely the opposite thou, I will never be without my keys to either drive or get back into the house. So a key token really suits me.

I have heard mention of a soft token? I believe it is an app type thing, however I still like to keep technology and my last line of security at arms length.

I think this is less of a debatable issue as opposed to highlighting the need to have options. The more low cost options that keeps everyone happy, the better. :slightly_smiling_face:


Yep. A soft token like Google Authenticator is good because it still provides a secondary protection for your access.

However, I do understand the ease of a physical device and the ability to read it. My key bundle is already huge between home work and cars. Don’t need another thing attached :joy:


They supplied the concept, it’s implemented by many other people and it’s not dependant on Google’s systems.


Your probably right, I do however have the same healthy mistrust of Facebook, Twitter and instagram :laughing: I do like twitter thou I must say.

The more accounts that offer Facebook and Google as login options. The less I trust them.

I have no problem with them existing or being an option for others to use, I just see two really big companies, almost controlling for the most part, a now integral and un regulated sector of society. That I choose to keep at arms length as much as possible.

To me they are Data miners and happy to sell on whatever they can. In Australia we rejected an Australia Card because of privacy issues, yet we accept a global company giving us a unique ID number to track our activity :joy:

And that’s the last I want to say about that :rofl:

Here anyway :wink:


As a matter of policy, I don’t use third parties for authenticating into non related sites.


Google itself stopped using google Authenticator internally. They are using yubico security keys. They are really awesome, cheap and much more secure! They also work with nfc


Interesting their not even using their own product.

Not sure why they bother having it then! Good to know.


Google actually just replaced yubico with their own key. Titan Security key. Google authenticator is not very secure and Xinja should not consider it! Would be cool to have a U2F security key option for Xinja.


Interesting, I’m also super avoiding biometrics. If we can stay away from that, it’s quite scary what’s in the public forum regarding China at the moment and social scoring, I do not like the NAB facial recognition ATMs either.

Human beings are fallable, therefore biometrics are only as good as human behaviour.

In my humble opinion.


Security has to be workable and flexible. A choice of options is good. I like email one time logins, software tokens, Yubikey, leveraging biometrics of decent hardware implementations like iPhone etc, PIN, recovery codes in a pinch, just NOT SMS.


Agree entirely with the need @Cavok for it to be workable.


Google does a lot of innovation and makes it public. They do that with the Android OS. It’s a matter of choice.

I have soft token, usb security key, other things as well.

Microsoft just announced today you will be able to login to their Email and other apps without a password using a key.


That is an industry standard and I totally disagree with what you are saying.

Provide evidence it’s not secure.


I should say I have lots of different tokens, physical (both cards schemes & electronic) and also software-based // generating SMS & things like Google Authenticator.

Personally, I would just point out that I think anything over the top of a password layer is better than not!


That’s an easy trap to fall into. I work in this space and some of that can be excluded. It’s a horses for courses discussion. SMS is at best an informational product which is best efforts technology only.


Informational isn’t so bad, it would still sort you that someone is attempting to log into your account?

I have found sometimes two factor to be extremely onerous.

I suppose a public private key system is out of the question for the average user…?


I think 2 factor is great for large or risky transactions. I wouldn’t apply it on everything as you’ll be sacrificing convenience for security.

HSBC has long had a RSA style token for 2 factor authorisation. Months later they started providing 2 password for low risk transactions (This tells me they’ve done their research and found that 2 factor via physical token isn’t convenient enough).



Hi @XinjaPat
Thanks for sharing your preferences around risk thresholds, security vs convenience!

Xinja as you can imagine - takes this area very seriously and it’s a primary focus. We’re considering a range of options for bank accounts launch (pending receiving our full banking license) - so your feedback is super helpful.

We also have this thread open too pin vs. password vs. biometrics vs others - if you’d like to see more community thoughts!