Friday, January 02, 2015

More on compliance and inconvenience

Uber in India is now compliant to RBI regulations but has become less convenient. I actually don’t mind the 2FA (2 factor authentication) for Indian credit cards, where you have to enter a PIN when used at a ‘Point of Sale’ or a One time password (OTP) that’s sent to your phone when used online. It’s actually a great security solution for one off payments. But there are situations when the 2FA becomes inconvenient especially when you are paying at a restaurant. Then there are online services whom I trust with my credit card details to be saved for quicker transactions, like Cleartrip and Uber. While transacting with these services I'm already inside one level of trust and password security, so having to enter another password for the transaction to go through is unnecessary. Uber is a service that’s designed to have credit cards saved online and charged whenever required so that the user need not have to fumble with his wallet when he reaches the destination. Uber’s philosophy is to offer a service that works like “everyone’s private driver”, but RBI’s 2FA rule just kills it. As I always say, rules are made to be followed but they should also be allowed to be broken whenever it makes sense.

Apparently a proposal has been submitted to RBI to exempt a certain amount of rupee transactions from the 2FA. Let’s hope for the best.

I hate when the user experience is compromised in the name of security. I feel violated as I get touched for security checks every time I go for a movie or to a mall. Security is absolutely important but should also be invisible.


I hate when websites make me enter a captcha every time I do something. That’s sloppy engineering. Google doesn't ask me to enter a captcha every time I login; they do only when I fail to enter the right password the second time. Even a more secure ‘Google with 2 step verification’ allows me to set trusted devices so that they don't bug me to enter the OTP all the time. Even better, Google’s Recaptcha now directly asks the users whether or not they are robots without forcing them to read distorted text and type it into a box.

Expiring Passwords

I hate when online services force me to change my password every now and then for security reasons; they are seriously missing the plot. If you force me to change the password and that too with weird rules, I’ll have to come up with something creative all the time and start writing down the passwords so that I don’t forget them. That makes it insecure.

HDFC Bank forces me to do this. They also have a forced user name that’s difficult to remember. It’s high time they understand that the most secure accounts are the ones with a combination of usernames and passwords that the user remembers in his head. Luckily Citibank and ICICI banks don't force me to do these things and they have security built in at the right points; like an OTP to add a new ‘money transfer recipient’.

Security Questions

HDFC Bank also forced me to answer some security questions the first time I used them for an online payment. The best online buying experience should end with the quickest checkout process so that last thing I want to do during the checkout is to answer the payment gateway’s security questions. Once I even tried to go past that step but I never got the security answers right. I don’t know how but I always get the answers for the security questions wrong. It’s true that I set them up in the first place, but I forget the answers when I need them.

Usually online services ask me to answer security questions when I forget my password. But Apple asks me to answer these questions even to change my password! My Apple ID is so secure that even I can’t do anything with it. How secure is a service that doesn't allow the account owner to change the password easily?

I don’t remember Google asking me these questions any time. They take my mobile number and alternate email address and send me instructions to create a new password. They also periodically check with me if this information is valid. That’s what I call well designed security.

PIN on Phones

The first time I set a PIN for my phone was when I joined this company with a strict BYOD security policy. The moment I setup my work email on phone I was forced to set a PIN. From that day on my phone became super secure but inconvenient to use as I had to always punch in that 4 digit number before doing anything with the phone. I always wondered why is it that even I have to enter a PIN to open my own phone, but only till recently.

The sweet Lollipop update on my phone now has a ‘Smart Lock’ feature that allows me to set trusted devices, places and even faces. Now my phone doesn't ask for a PIN when it’s connected to my ‘Android Wear Watch’ or my car music system. This is exactly what I wanted.

Apple Pay works more or less the same way as Google Wallet in terms of user workflow, but I really like the way Apple has implemented the security part of it. Behind the scenes, Apple uses something called tokenization that replaces the actual credit card number with a special number for making payments, but the best part of Apple Pay is the user authentication done using the ‘Touch ID’ which is far more secure and convenient than entering a 4 digit PIN.

Security should be part of the core user experience of your product and not an afterthought.

No comments: