We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Strong Customer Authentication - **Now delayed** changes to online verification
Comments
-
So HSBC & First Direct are the only ones to not allow OTP to login. Definitely won't be using them for anything day-to-day then. I like that the Lloyds Group banks (and TSB) allow OTP to a landline too.0
-
So HSBC & First Direct are the only ones to not allow OTP to login. Definitely won't be using them for anything day-to-day then. I like that the Lloyds Group banks (and TSB) allow OTP to a landline too.
The EBA have declared that OTPs do not meet their security requirements for PSD2. Unfortunately, they declared this very late in the day, *after* most banks had already built their 2FA systems using OTPs.
So, expect to see more banks moving away from OTPs.0 -
HSBC and First Direct both use OTP. Specifically they use time-based OTP or TOTP using a device, which is the preferred implementation. You have the choice of activating it through their mobile app or a physical device ("secure key").So HSBC & First Direct are the only ones to not allow OTP to login. Definitely won't be using them for anything day-to-day then. I like that the Lloyds Group banks (and TSB) allow OTP to a landline too.
SMS-based OTP has had its days numbered since 2016, when the NIST pointed out its flaws. Good to see the EBA catching up at last, and eventually the FCA is bound to follow suit. The only reason it has been so widely adopted is it is convenient, but convenience is the enemy of security.0 -
Until security becomes too much, inconvenient & over the top.HSBC and First Direct both use OTP. Specifically they use time-based OTP or TOTP using a device, which is the preferred implementation. You have the choice of activating it through their mobile app or a physical device ("secure key").
SMS-based OTP has had its days numbered since 2016, when the NIST pointed out its flaws. Good to see the EBA catching up at last, and eventually the FCA is bound to follow suit. The only reason it has been so widely adopted is it is convenient, but convenience is the enemy of security.
.0 -
Will Brexit affect rollout ?
.0 -
Not unless this UK government (or a future one) independently chooses to repeal the Payment Services Regulations 2017 and I imagine they'll have somewhat bigger fish to fry....Will Brexit affect rollout ?0 -
The point I'm making is that designers of such measures won't see it as a bad thing if some users reduce, stop or change their usage of vulnerable systems as a result of tightening security as this will just reduce the potential for fraud via those systems even further.Which is the point that was being made. And some products are fast reaching that point for some of us, perhaps.
I've never supported the use of SMS for authorising transactions - that's a clear case of convenience compromising security. Contemporary email is more secure than SMS, and no less convenient, while authenticator apps are ubiquitous and much more secure, but devices must be made available to those without smartphones - and it's the inconvenience of that which has led the banks to compromise on security.0
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 351.7K Banking & Borrowing
- 253.4K Reduce Debt & Boost Income
- 454K Spending & Discounts
- 244.7K Work, Benefits & Business
- 600.1K Mortgages, Homes & Bills
- 177.3K Life & Family
- 258.3K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.2K Discuss & Feedback
- 37.6K Read-Only Boards