By late 2024, ubank found itself facing an unprecedented challenge: their security vendor was shutting down, and customers were losing millions of dollars to scams. During this critical period, I led design to transform ubank's authentication system, pioneering passkey technology in Australian banking against seemingly impossible deadlines.
To comply with my non-disclosure agreement, I have omitted confidential information in this case study. All information is my own and does not necessarily reflect the views of ubank.
In October 2024, ubank's security infrastructure was built on borrowed time. Haventec, the third-party vendor providing our verification technology, had announced liquidation with a hard deadline of March 2025 to transition off their platform.
This wasn't merely a technical inconvenience, it was an existential threat. Without functioning login technology, ubank's digital services would become completely unusable, potentially devastating the bank's reputation and future.
The existing authentication system built around four-digit PINs and SMS OTP verification codes was not only becoming unavailable, but was increasingly vulnerable to sophisticated phishing scams. In November 2023 alone, ubank customers had lost a staggering $4 million to fraud.
Our challenge was clear but daunting: be the first bank in Australia to implement a completely new security system that would protect customers while ensuring a seamless transition before the hard deadline.
Our mission was to transition all customers onto Ping, a new authentication technology before Haventec's shutdown. The stakes couldn't have been higher:
Building the backend to support Ping's technology took the Trojan squad (security) over 12 months before we could start migrating customers. The complexity was compounded by having to support multiple authentication mechanisms simultaneously as we transitioned customers from legacy systems.
Users would now have the choice of two new 2FA login methods: Either 1) passkeys; or 2) password with SMS OTP.