Banks that use TOTP or hardware 2FA instead of SMS?

calvin1719

calvin1719

Mostly harmless.
Adept
Are there any banks in India that don't rely on SMS OTPs for online transactions, both purchases as well as net banking? Or is SMS OTP legally mandated?

SMS delivery is spotty at best, and I mostly don't have any network reception anyway at my place. It's really aggravating to have to wait ages for an SMS to be delivered to login or complete a payment. Any suggestions on which banks are not living in 1999 would be appreciated.
 
calvin1719 said:
Are there any banks in India that don't rely on SMS OTPs for online transactions, both purchases as well as net banking? Or is SMS OTP legally mandated?

SMS delivery is spotty at best, and I mostly don't have any network reception anyway at my place. It's really aggravating to have to wait ages for an SMS to be delivered to login or complete a payment. Any suggestions on which banks are not living in 1999 would be appreciated.
Click to expand...
You can opt for 2fa. I guess yesbank internet banking offers it. Basically you need to have an app on you mobile which generates code that can be used
 
SMS OTP is also 2FA, it's just worse 2FA for a multitude of reasons.

A bit wary of Yes Bank, given their troubles recently. What about the other major private players, or public ones for that matter?
 
SBI has its SBI secure app for 2fa codes, but the reviews are not that promising,
lots of users reporting issues.
apps.apple.com

‎SBI Secure OTP

‎SBI Secure OTP is an OTP generation App for verifying or authenticating online banking transactions done through SBI Internet Banking and Yono Lite SBI App. Customer can generate Online OTP through this app with Internet connection. One time registration with your INB credentials is required...
apps.apple.com
play.google.com

SBI Secure OTP – Apps on Google Play

OTP generation App for SBI Internet Banking and Yono Lite SBI app users.
play.google.com play.google.com

PNB has their PNB Verify app,
its more like steam authenticator rather than giving codes, need to accept or reject transaction,
similar issues reported in reviews
apps.apple.com

‎PNB Verify

‎Punjab National bank offers PNB Verify application for providing additional security to authenticate financial and certain non-financial transactions initiated through Internet Banking channel or through Debit Card (e-comm). Customer shall be able to verify (Accept or Reject) IBS or Card...
apps.apple.com
play.google.com

PNB Verify – Apps on Google Play

Application to verify your Transactions initiated from PNB Retail and Debit card
play.google.com play.google.com
 
Yes, my current bank, Kotak, also has their own app to verify online login. But I'm puzzled as to why all of these banks are reluctant to adopt TOTP/hardware key backed TFA. I shouldn't need to install another app just to get 2FA, and I'm also not convinced about the security of their infrastructure. the security of the implementation of these systems.
 
calvin1719 said:
Yes, my current bank, Kotak, also has their own app to verify online login. But I'm puzzled as to why all of these banks are reluctant to adopt TOTP/hardware key backed TFA. I shouldn't need to install another app just to get 2FA, and I'm also not convinced about the security of their infrastructure. the security of the implementation of these systems.
Click to expand...
i had an hsbc cc with hardware otp key device with inbuilt battery. i had to use that device to login to my hsbc bank or cc account. it was a big fail imo. sometimes the otp number it generated didnt work and you'd have to hit the button 2-3 times to get a working key. 2nd worst was you had to keep that device with you always. it was a huge headache honestly. this was ~20 years back when these sms otp was new. Worst part - if the battery in it failed, you had to send it back to bank or go to the bank and wait for a week to get a replacement. i broke it after i closed that bank account and it used the same battery as pc mobo cr2032 battery in it. So no wonder banks are reluctant to do such hardware thingies. They are not fail safe and if they have thousands of devices piling up due to some bug or failure, it is additional costs and wastage of time.
 
6pack said:
i had an hsbc cc with hardware otp key device with inbuilt battery. i had to use that device to login to my hsbc bank or cc account. it was a big fail imo. sometimes the otp number it generated didnt work and you'd have to hit the button 2-3 times to get a working key. 2nd worst was you had to keep that device with you always. it was a huge headache honestly. this was ~20 years back when these sms otp was new. Worst part - if the battery in it failed, you had to send it back to bank or go to the bank and wait for a week to get a replacement. i broke it after i closed that bank account and it used the same battery as pc mobo cr2032 battery in it. So no wonder banks are reluctant to do such hardware thingies. They are not fail safe and if they have thousands of devices piling up due to some bug or failure, it is additional costs and wastage of time.
Click to expand...
I had the same device. HSBC no longer provides that device. Banks should just provide and support the protocol. Ask users to buy devices like yubikey for additional security.
 
No banks use standard TOTP protocols.

The reason being that approvals for these implementatios are handled by non-technical people. These people think obscurity is security and open implementations are vulnerable because everyone knows the algorithm. So since TOTP is an open standard, they think it's less secure. Hence they create their own algorithm and app.

I have no hopes that banks will move to standard TOTPs. So you either live with SMS, or use the bank's application.
 
6pack said:
i had an hsbc cc with hardware otp key device with inbuilt battery. i had to use that device to login to my hsbc bank or cc account. it was a big fail imo. sometimes the otp number it generated didnt work and you'd have to hit the button 2-3 times to get a working key. 2nd worst was you had to keep that device with you always. it was a huge headache honestly. this was ~20 years back when these sms otp was new. Worst part - if the battery in it failed, you had to send it back to bank or go to the bank and wait for a week to get a replacement. i broke it after i closed that bank account and it used the same battery as pc mobo cr2032 battery in it. So no wonder banks are reluctant to do such hardware thingies. They are not fail safe and if they have thousands of devices piling up due to some bug or failure, it is additional costs and wastage of time.
Click to expand...

TinTinSnowy said:
I had the same device. HSBC no longer provides that device. Banks should just provide and support the protocol. Ask users to buy devices like yubikey for additional security.
Click to expand...
HSBC imho is an outdated bank. I too received the token device though it worked good until they shifted to a new pin app and now their own app has that pin gen thing.
But I sued to use such rsa token device thing back in 2k6 or so.
They have every weekend downtime for a brief period as if they are doing some patch management.

Worse about HSBC is, if for some reason your phone conks off, you won't be able to register/login to their netbanking app. You have to call their cc and provide the reason etc.
This isnt the issue with other banks except SBI whose yoni is always closed with tons of false issues.
And as for TOTP or hardware 2FA instead of SMS, I now feel there should be an alternative than sms as these days the sms wither arrives or doesn't or we need to keep retrying until we receive bulk otps out of which only the latest one works.
Few years ago sms otp thing was bliss..used to receive it within 0.5sec.
 
nRiTeCh said:
HSBC imho is an outdated bank. I too received the token device though it worked good until they shifted to a new pin app and now their own app has that pin gen thing.
But I sued to use such rsa token device thing back in 2k6 or so.
They have every weekend downtime for a brief period as if they are doing some patch management.

Worse about HSBC is, if for some reason your phone conks off, you won't be able to register/login to their netbanking app. You have to call their cc and provide the reason etc.
This isnt the issue with other banks except SBI whose yoni is always closed with tons of false issues.
Click to expand...

Bruh our corporate cards moved from Citi to HSBC and I’ve never detested a bank more. Failed card payments are so common, even when I pre inform them of my travels.
In between they were expiring my card pin every 2 weeks - like what the **** HSBC ? Absolutely rubbish bank.
 
alekhkhanna said:
Bruh our corporate cards moved from Citi to HSBC and I’ve never detested a bank more. Failed card payments are so common, even when I pre inform them of my travels.
In between they were expiring my card pin every 2 weeks - like what the **** HSBC ? Absolutely rubbish bank.
Click to expand...
Glad my co. parted away with HSBshii! But I still hold their CCs and savings a/c and they don't even have atms in Pune city except for the only one in their city's main branch. How pity! But they say one can withdraw ultd. times from any bank, lol!
 
TinTinSnowy said:
I had the same device. HSBC no longer provides that device. Banks should just provide and support the protocol. Ask users to buy devices like yubikey for additional security.
Click to expand...
All these banks get fits when people enable developer mode on their android phones. doubt they'll allow yubikey or anything unknown to them.

gourav said:
No banks use standard TOTP protocols.

The reason being that approvals for these implementatios are handled by non-technical people. These people think obscurity is security and open implementations are vulnerable because everyone knows the algorithm. So since TOTP is an open standard, they think it's less secure. Hence they create their own algorithm and app.

I have no hopes that banks will move to standard TOTPs. So you either live with SMS, or use the bank's application.
Click to expand...
exactly. these things are often outsourced to the same 2-3 vendors like infosys or tata or someone else. the backend is same but the ui is different for each bank. algorithm could change but not by much.
 
Back
Top