Banks that use TOTP or hardware 2FA instead of SMS?

calvin1719

Mostly harmless.
Skilled
Are there any banks in India that don't rely on SMS OTPs for online transactions, both purchases as well as net banking? Or is SMS OTP legally mandated?

SMS delivery is spotty at best, and I mostly don't have any network reception anyway at my place. It's really aggravating to have to wait ages for an SMS to be delivered to login or complete a payment. Any suggestions on which banks are not living in 1999 would be appreciated.
 
Are there any banks in India that don't rely on SMS OTPs for online transactions, both purchases as well as net banking? Or is SMS OTP legally mandated?

SMS delivery is spotty at best, and I mostly don't have any network reception anyway at my place. It's really aggravating to have to wait ages for an SMS to be delivered to login or complete a payment. Any suggestions on which banks are not living in 1999 would be appreciated.
You can opt for 2fa. I guess yesbank internet banking offers it. Basically you need to have an app on you mobile which generates code that can be used
 
SMS OTP is also 2FA, it's just worse 2FA for a multitude of reasons.

A bit wary of Yes Bank, given their troubles recently. What about the other major private players, or public ones for that matter?
 
SBI has its SBI secure app for 2fa codes, but the reviews are not that promising,
lots of users reporting issues.

PNB has their PNB Verify app,
its more like steam authenticator rather than giving codes, need to accept or reject transaction,
similar issues reported in reviews
 
Yes, my current bank, Kotak, also has their own app to verify online login. But I'm puzzled as to why all of these banks are reluctant to adopt TOTP/hardware key backed TFA. I shouldn't need to install another app just to get 2FA, and I'm also not convinced about the security of their infrastructure. the security of the implementation of these systems.
 
Yes, my current bank, Kotak, also has their own app to verify online login. But I'm puzzled as to why all of these banks are reluctant to adopt TOTP/hardware key backed TFA. I shouldn't need to install another app just to get 2FA, and I'm also not convinced about the security of their infrastructure. the security of the implementation of these systems.
i had an hsbc cc with hardware otp key device with inbuilt battery. i had to use that device to login to my hsbc bank or cc account. it was a big fail imo. sometimes the otp number it generated didnt work and you'd have to hit the button 2-3 times to get a working key. 2nd worst was you had to keep that device with you always. it was a huge headache honestly. this was ~20 years back when these sms otp was new. Worst part - if the battery in it failed, you had to send it back to bank or go to the bank and wait for a week to get a replacement. i broke it after i closed that bank account and it used the same battery as pc mobo cr2032 battery in it. So no wonder banks are reluctant to do such hardware thingies. They are not fail safe and if they have thousands of devices piling up due to some bug or failure, it is additional costs and wastage of time.
 
i had an hsbc cc with hardware otp key device with inbuilt battery. i had to use that device to login to my hsbc bank or cc account. it was a big fail imo. sometimes the otp number it generated didnt work and you'd have to hit the button 2-3 times to get a working key. 2nd worst was you had to keep that device with you always. it was a huge headache honestly. this was ~20 years back when these sms otp was new. Worst part - if the battery in it failed, you had to send it back to bank or go to the bank and wait for a week to get a replacement. i broke it after i closed that bank account and it used the same battery as pc mobo cr2032 battery in it. So no wonder banks are reluctant to do such hardware thingies. They are not fail safe and if they have thousands of devices piling up due to some bug or failure, it is additional costs and wastage of time.
I had the same device. HSBC no longer provides that device. Banks should just provide and support the protocol. Ask users to buy devices like yubikey for additional security.
 
No banks use standard TOTP protocols.

The reason being that approvals for these implementatios are handled by non-technical people. These people think obscurity is security and open implementations are vulnerable because everyone knows the algorithm. So since TOTP is an open standard, they think it's less secure. Hence they create their own algorithm and app.

I have no hopes that banks will move to standard TOTPs. So you either live with SMS, or use the bank's application.
 
i had an hsbc cc with hardware otp key device with inbuilt battery. i had to use that device to login to my hsbc bank or cc account. it was a big fail imo. sometimes the otp number it generated didnt work and you'd have to hit the button 2-3 times to get a working key. 2nd worst was you had to keep that device with you always. it was a huge headache honestly. this was ~20 years back when these sms otp was new. Worst part - if the battery in it failed, you had to send it back to bank or go to the bank and wait for a week to get a replacement. i broke it after i closed that bank account and it used the same battery as pc mobo cr2032 battery in it. So no wonder banks are reluctant to do such hardware thingies. They are not fail safe and if they have thousands of devices piling up due to some bug or failure, it is additional costs and wastage of time.

I had the same device. HSBC no longer provides that device. Banks should just provide and support the protocol. Ask users to buy devices like yubikey for additional security.
HSBC imho is an outdated bank. I too received the token device though it worked good until they shifted to a new pin app and now their own app has that pin gen thing.
But I sued to use such rsa token device thing back in 2k6 or so.
They have every weekend downtime for a brief period as if they are doing some patch management.

Worse about HSBC is, if for some reason your phone conks off, you won't be able to register/login to their netbanking app. You have to call their cc and provide the reason etc.
This isnt the issue with other banks except SBI whose yoni is always closed with tons of false issues.
And as for TOTP or hardware 2FA instead of SMS, I now feel there should be an alternative than sms as these days the sms wither arrives or doesn't or we need to keep retrying until we receive bulk otps out of which only the latest one works.
Few years ago sms otp thing was bliss..used to receive it within 0.5sec.
 
HSBC imho is an outdated bank. I too received the token device though it worked good until they shifted to a new pin app and now their own app has that pin gen thing.
But I sued to use such rsa token device thing back in 2k6 or so.
They have every weekend downtime for a brief period as if they are doing some patch management.

Worse about HSBC is, if for some reason your phone conks off, you won't be able to register/login to their netbanking app. You have to call their cc and provide the reason etc.
This isnt the issue with other banks except SBI whose yoni is always closed with tons of false issues.

Bruh our corporate cards moved from Citi to HSBC and I’ve never detested a bank more. Failed card payments are so common, even when I pre inform them of my travels.
In between they were expiring my card pin every 2 weeks - like what the **** HSBC ? Absolutely rubbish bank.
 
Bruh our corporate cards moved from Citi to HSBC and I’ve never detested a bank more. Failed card payments are so common, even when I pre inform them of my travels.
In between they were expiring my card pin every 2 weeks - like what the **** HSBC ? Absolutely rubbish bank.
Glad my co. parted away with HSBshii! But I still hold their CCs and savings a/c and they don't even have atms in Pune city except for the only one in their city's main branch. How pity! But they say one can withdraw ultd. times from any bank, lol!
 
I had the same device. HSBC no longer provides that device. Banks should just provide and support the protocol. Ask users to buy devices like yubikey for additional security.
All these banks get fits when people enable developer mode on their android phones. doubt they'll allow yubikey or anything unknown to them.

No banks use standard TOTP protocols.

The reason being that approvals for these implementatios are handled by non-technical people. These people think obscurity is security and open implementations are vulnerable because everyone knows the algorithm. So since TOTP is an open standard, they think it's less secure. Hence they create their own algorithm and app.

I have no hopes that banks will move to standard TOTPs. So you either live with SMS, or use the bank's application.
exactly. these things are often outsourced to the same 2-3 vendors like infosys or tata or someone else. the backend is same but the ui is different for each bank. algorithm could change but not by much.
 
Back
Top