In Australia and New Zealand, authentication has reached a turning point.
Banking apps, telco platforms, superannuation portals, and digital health records, organisations are under increasing pressure to secure user accounts without introducing friction. The challenge? Balancing rising user expectations with increasingly sophisticated threats.
Cybercrime losses in Australia exceeded A$3.1 billion in 2024 alone, with scams often exploiting weaknesses in SMS one-time passwords or outdated credential systems. Meanwhile, users expect login flows to be fast, private, and seamless working across services with minimal interruptions.
Despite sectoral differences, a unified theme is emerging across financial services, telecom, retail, and insurance: authentication experiences are falling short of what modern users now expect.
In banking, users appreciate strong protections, but frequent logouts and repeated SMS OTP prompts for routine actions are a source of friction. Telecom customers expect biometric access for daily use, though they’re generally more accepting additional checks for SIM swaps. Retail and loyalty app users want authentication to stay invisible unless something goes wrong. And in healthcare and insurance, users want stronger protection, but only if it doesn’t mean retyping passwords every time, they check a policy or appointment.
What’s Driving the Shift
The market is decisively moving beyond passwords and OTPs. Biometrics has become the default across many ANZ mobile apps, trusted by both users and regulators. Passkeys are gaining traction, offering phishing-resistant login with no passwords at all. And national initiatives like Australia’s Trusted Digital Identity Framework (TDIF) are accelerating the push for unified, reusable identity.
As banks offer insurance, telcos bundle wallets, and super apps span multiple services, authentication needs to follow the user does not trap them in silos.
Designing for the Future of Identity
Modern identity frameworks increasingly anchor trust to the user’s device, not a central server. This enables secure biometric validation that’s faster and more private. Identity can be recovered without starting over, and cross-app federation is possible without redundant onboarding.
This shift doesn’t eliminate the need for traditional comparisons, but it reframes them. Here’s how emerging approaches differ from legacy login models:
| Feature | Traditional Login | V-Key ID |
| Biometric data | Cloud-stored or shared | In-app |
| Passwords or OTPs | Required | None |
| Tamper resistance | Basic | V-OS® Virtual Secure Element |
| SIM swap protection | Weak (SMS OTP) | Strong (in-app biometrics) |
| App-to-app login reuse | Not supported | Seamless |
| Integration | Complex, multi-step | Simple, single-call API |
From Compliance to Experience-Driven Design
Security teams today must think beyond encryption and controls, they’re shaping customer journeys. Users may never know whether their app supports SafetyNet or device attestation, but they’ll remember if login was fast, if their identity was preserved during a device switch, or if their loyalty points were stolen after a SIM swap.
For many organisations, the most scalable approach is adopting authentication models that:
- Verify identity locally on the device
- Secure login flows without passwords or SMS
- Harden apps against tampering and runtime attacks
- Enable re-authentication across services without re-registration
These aren’t just technical improvements, they’re strategic differentiators. In regulated industries especially, the ability to deploy phishing-resistant, privacy-preserving authentication without overhauling existing infrastructure is now a baseline requirement.
