Naga Chokkanathan

Why Not? — Auto Learn (Again)

Posted on: September 27, 2011

Few weeks back, ICICI Bank introduced a new security mechanism called “OTP” or “One Time Password”. This is to prevent possible misuse of ICICI internet banking services.

In a nutshell, OTP System works like this:

Case 1

  • You use a regular computer (Let us say your personal desktop or laptop or netbook) and ICICI marks it as your “Default Device”
  • When you connect to icicibank.com using this computer, you can straightaway login with your username, password, no additional questions asked

Case 2

  • Let us say you are travelling and trying to use icicibank.com from an internet cafe (or your brother’s laptop)
  • This is assumed as an ‘unusual activity’ and the bank wants to confirm there is no misuse
  • They send an SMS to you, with an One Time Password
  • You need to enter this in the login screen (along with your usual User Name, Password) and then only system will allow you to enter its banking website

When I saw this feature first time, it was very impressive. I searched for the word OTP and found that this is a standard security mechanism adopted by many data-sensitive websites and I was happy to see an Indian bank implementing it.

Around the same time, I bought a new computer. Tried accessing icicibank.com from there, obviously, the bank detected this as ‘unusual’ (because it has my old computer’s particulars as my ‘default device’) and I was asked to enter an OTP via SMS. I did it dutifully and felt very secure.

Guess what, after few days, this became an unnecessary irritation. As I use my new computer more and more, I wanted this to be treated as the ‘usual’ (and ‘default’) device. I wanted my bank to learn this from my usage pattern – after all, I have entered the OTP 10+ times now from this very computer, Means this new device should be a valid / acceptable one, right? Why continue OTP process even now?

To solve this problem, the bank can provide a simple checkbox in the login / OTP screen “Accept This Computer As An Authorized Device To Access My Bank Account”. This can’t be misused because, it goes with OTP, which is anyway the ultimate security mechanism – Once I check that, don’t send / ask me to type an OTP anymore on this computer.

Protecting user’s privacy / security is very important. But if we try to implement them without a focus on User Interaction / Simplicity, it will cause pain, frustration, resistance and finally, drop in usage.

(077)

***

N. Chokkan …

27 09 2011

Advertisements

1 Response to "Why Not? — Auto Learn (Again)"

//Accept This Computer As An Authorized Device To Access My Bank Account”.// This is followed in USA bank sites for setting default device/system. I do got irritated after a certain point of time of using OTP.

Thanks
Ananth

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Disclaimer

The opinions expressed here are the views of the writer and do not necessarily reflect the views and opinions of the Organization He works for / belongs to.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 57 other followers

Big Adda

%d bloggers like this: