Recently Intesa Sanpaolo (born after a merge between Banca Intesa e Istituto San Paolo) moved its Internet banking authentication system from a password-based to a one-time-password-based access.
They sell that “innovation” – ever happens in the ICT business – as a major increase in IT security and then as a benefit for the customer, but if you think for a while this is not entirely true. Or – better – this might be true from the perspective of a marketing manager. But it is not from the customer standpoint.
An average person carries yet a mobile phone, a PDA, car electronic-key, garage remote, alarm-system dongle (and, when traveling, a laptop and all the battery chargers.) Then, with OTP pad, when you move from home to work you have to carry that pad. So you have to do when coming back. And if you leave for a trip (work or leasure) you still need to take this unconfortable piece of plastic with you, otherwise you can’t access your bank account. I’m not sure people really are so eagerly looking for another geek gadget that makes life more complicated.
Using OTP like that is a clear example of what happens when things are not observed from a global, customer oriented perspective.
IT security guys are happy, because they have less trouble with phishing and dumb users. Marketing guys are happy because they can claim on media and advertising that “the system is secure”. Legal dept. guys are happy too: they’re no more involved in useless and time consuming criminal investigation or user complaints.
The price paid for the security enhancement is a possible “disturbing” user experience and this leads to the point. Current security models are too much focused on “protection” than on “business promoting”. Of course nobody can complaint if security does its job. But maybe marketing should be more aware of how to give security a friendly look.