My Superannuation Fund Still Uses Password-Only Security in 2025

I logged into AustralianSuper this morning after Friday's breach. What I discovered left me genuinely concerned.

No multi-factor authentication option. Anywhere. In 2025.

Their "security solution" was a basic SMS verification. A method security experts abandoned years ago as fundamentally vulnerable.

This isn't just disappointing - it's potentially negligent.

The most alarming part isn't the technical shortfall. It's the deafening silence from AustralianSuper's leadership. Cyber incidents need careful investigation. A core step is customer communication. Protective measures should be shared immediately and clearly.

For an institution safeguarding billions in retirement savings, this feels stuck in 2010. Phishing-resistant authentication isn't a luxury feature. It's the standard for financial services in 2025.

The industry benchmark has moved well beyond passwords and SMS. Authenticator apps, Yubikeys, and biometric verification have become standard practice for protecting accounts. Especially critical with sensitive financial data.

A few years back when I briefly swapped to BankSA, they only supported a 12 character password! This isn't something that we should be limiting people on!

This security gap exists despite repeated warnings from cybersecurity professionals and regulatory guidance. The Australian Cyber Security Centre has emphasised phishing-resistant MFA for years. It's in the Essential 8!

This isn't just about protecting my retirement savings - it's about institutional responsibility. If basic security hygiene is being overlooked, what other vulnerabilities might exist in their systems?

Has anyone else received communications from their super fund about this incident? What security options does your provider offer beyond simple passwords?