Outdated password rules create frustration, not security. Banks need smarter, user-friendly systems.
“Strong security is key!”
“Or maybe a better system?”
This cartoon captures a reality that too many banks—and their employees—live every day. Security policies are meant to protect us. But when they’re built on outdated assumptions, they can do more harm than good.
If your people are taping passwords to monitors just to survive their workday, we’re not winning the security game. We’re just making it harder to play.
Let’s talk about how we got here—and what needs to change.
Security vs. Usability: The False Choice
Somewhere along the way, we began treating security and usability as mutually exclusive. We assumed more complexity meant more safety:
- Mandatory password changes every 30 days.
- 16-character minimums with mixed case, symbols, and no repeats.
- No password reuse—ever.
The result? A frustrated workforce and a parade of sticky notes, Excel password vaults, and whispered logins.
Here’s the irony: bad usability creates bad security.
When the system gets in the way, people find workarounds. And those workarounds—like shared credentials or storing passwords in browsers—are what attackers exploit.
Real-World Pain: Where Banks Struggle Most
We once worked with a regional bank whose branch teams were required to log into six different systems daily—each with its own login, complexity rule, and timeout period. Some sessions expired every 10 minutes. One teller showed us a hand-written cheat sheet buried in a drawer. Not great.
Their IT security leader had good intentions. But the implementation turned simple tasks into a password obstacle course. Support tickets for “forgot password” requests made up 40% of their helpdesk volume.
That’s not scalable. And it’s not secure.
What Secure and Usable Actually Looks Like
Modern security doesn’t require memorizing the Rosetta Stone. The best banks are designing systems where:
1. Authentication is layered, not labored
- MFA by default, not just by policy.
- Biometrics or mobile push notifications where possible.
- Risk-based authentication that adapts based on context (location, device, time of day).
2. Access is role-based and streamlined
- Single sign-on (SSO) across internal apps.
- Centralized identity and access management (IAM).
- Just-in-time access for temporary needs, revoked automatically.
3. Users get smarter, not more frustrated
- Transparent education campaigns.
- Security training that’s realistic, not punitive.
- Easy-to-use reporting for phishing attempts or unusual behavior.
We’ve worked with banks that implemented passwordless login for internal systems using secure tokens or smart cards. Not only did it reduce friction, but it also reduced helpdesk load and improved compliance audit scores. A win on all fronts.
Ask Yourself: Is Your Security Design Human-Centric?
Security can’t just be airtight. It needs to be human-proof—designed with people, not just policy, in mind.
Here’s a quick diagnostic:
- Are employees creating shadow systems to bypass access hurdles?
- Are audit findings showing credential misuse or shared logins?
- Are users logging into more systems to do less work?
If so, you’ve got a design problem masquerading as a security problem.
Core Modernization Requires Rethinking Security
Many banks undergoing core transformation ask: “How do we build in better security?” But a better question is: “How do we build secure systems people will actually use?”
Security should be:
- Invisible until it matters.
- Resilient under pressure.
- Configurable to different roles, regions, and risk appetites.
You don’t need 500 passwords. You need a system that knows when to ask for credentials—and when not to.
Building Trust Through Thoughtful Security
Ultimately, security is about trust. Your customers trust you to safeguard their data. Your employees trust you to support their workflow without creating barriers. And your regulators trust you to demonstrate control without creating chaos.
That means:
- Automating identity and access provisioning for new hires.
- Reviewing privileged accounts quarterly.
- Designing core banking platforms with least privilege access and built-in audit trails.
It also means listening to your teams. If they’re overwhelmed by security tasks, it’s not a personnel issue—it’s a system design issue.
Let’s Fix Security That Feels Like Punishment
We don’t need more binders of policies. We need better user experiences that embed security into everyday banking operations.
Let’s make it easier to do the secure thing.
Because the most secure system in the world means nothing—if no one wants to use it.
Ready to Rethink Security for Your Core?
Our OptimizeCore® Assessment includes a deep dive into your security posture—from authentication flows to privilege creep. Let’s help you replace your 500-password policy with something smarter, stronger, and far more human.
Secure banking shouldn’t mean suffering. Let’s make security work for people—not against them.
#CoreBankingTransformation #CoreBankingOptimization
