Trusted Device and OTP Suggestions

Any issue about Cyclos 4 mobile app

Moderators: rmvanarkel, hugo, alexandre

Post Reply
Posts: 117
Joined: Fri Oct 26, 2012 9:42 am

Trusted Device and OTP Suggestions

Post by barry »

Hi Admin,

You guys are doing amazing work with the Cyclos4 mobile app, however, I have two suggestions that I want to make.
The first suggestion has to do with the Trusted Device feature. I believe the idea is to add another layer of security (two factor) to protect the user without compromising ease of access and use. However, from observation and trials I have carried out reveals that the user is not protected by this feature.

I logged into my account on another device and I was advised to activate the device as a Trusted Device to confirm sensitive operations like payments… but I ignored that but guess what, I was able to do the following:
• Change password
• Disable SMS notifications to the mobile number on the first device
• Perform a transfer
• Updated profile including changing mobile number on the account.

Meanwhile, the mobile app channel has been configured to “Require authentication for confirming operations with a trusted device”.
I proceeded to activate the device as a Trusted Device and the code was sent to the mobile number in the first Trusted Device. If I had changed the mobile number or disabled it, the code would have been sent to the new mobile number and I could take over the account completely.
I believe that the Trusted Device feature is meant to further secure the user and enhance the user’s experience but if a fraudster can access the user’s account on another device and without activating the Trusted Device feature can perform sensitive operations like listed above, then this feature fails to achieve it purpose. At least on the new device which has not be activated as a Trusted Device, user should not be able to perform sensitive operations until device is activated as a Trusted Device.

My second observation has to do with the presentation of the OTP on the mobile app. I believe that the presentation of the OTP can be improved to give users a better experience. How?
• The OTP form/page should be separated from the payment form/page
• The process should be similar to that of the online channel as outlined below;
Page1: User initiate the payment
Page2: User review the payment details
Page3: User makes payment then
Pop Up: User is asked to generate and enter OTP to complete payment.[/list][/list]

As a long standing Cyclos user, these are my humble suggestions.

Many thanks,
Post Reply