OTP hell – when security is bureaucratized

3 points by yashg ↗ HN
This is an experience with India's largest public bank, SBI. SBI takes security very seriously. Let's see how

One day I log into my online banking account. I enter my username and password and captcha - OTP on mobile verification Your password has expired, set new password - OTP verification Your password has been changed, thank you. Please login again. I login again - OTP verification

You just verified me once by sending me the OTP after my first login, why do you need another OTP for setting the new password which you are forcing on me in the "same session" and after I change the password, why are you forcing me to login again?

What happens next, will leave you exhausted.

The system shows me my obfuscated email id and asks me if I want to verify if that is still my email id. (Because normal people change their email id every month right?) I click yes. (If I don't they may stop my Net Banking access anytime in future. With SBI anything is possible) First enter profile password. (It's different from login password) Then you confirm the email id. Next, they send an OTP to your email, the OTP is inside a password protected PDF! (I kid you not) Password of the PDF file? YOUR MOBILE NUMBER! So you open the PDF, get the OTP, it's an 8 digit number which can't be pasted in the OTP field. (You don't say!) You enter email OTP

Next step, one more confirmation - Via debit card - Physically visiting the branch - OTP on mobile via SMS So I choose the least cumbersome option - OTP Enter the OTP received on phone and finally the Machine Overlords of SBI are satisfied and confirm my email id.

World may still be grappling with Two Factor Authentication, SBI has perfected the art of N-Factor Authentication.

At some point in time, some bureaucrat came across a Captcha and an OTP and immediately fell in love. "I want this" he said. And then it was implemented at every stage in every government website. Often multiple times, because "security".

0 comments

[ 2.5 ms ] story [ 11.7 ms ] thread

No comments yet.