Bureau Pleads Guilty

(Bureau News) - In a shocking development, Bureau today has stepped forward to claim responsibility for the mass disappearance of nearly 3 million SMS OTPs (One Time Passwords) at the time of reporting.

An avid user of the MyGlamm app, one of India's largest beauty brands that recently received funding from Amazon, was among the first to notice the disappearance of the SMS OTP.

She said, "It was strange. I tried to login the usual way to catch the monthly sale. I got as far as entering my phone number, when a second later I was directed straight into the app. There was no SMS OTP at all." Suspicious, she called the MyGlamm hotline. A customer service representative assured her that the experience was deliberate.

Further investigation revealed that the same phenomena had emerged for users of audio streaming app, PocketFM, and agritech app, Farmart. Other affected brands include a neobank, insurance app, fintechs and various service providers that declined to be named.

An employee of the neobank who spoke on condition of anonymity had this to say, "Many of our users complained of issues with SMS OTP. High drop offs led to immense user frustration. We lost some potentially good users due to login issues. Then we heard tell of a startup that could 'take care' of the problem for us. They did and we don't regret it."

An industry insider commented, "Since early January 2021, we have noticed a sharp downward spike in the issuing of SMS OTPs, correlated with an almost 20% increase in active mobile app users."

SMS OTPs have long been the traditional method of verifying that a mobile user is who she says she is. Liberally used across social media apps (Linkedin, Facebook), banking apps, streaming apps and retail apps; many of us have become all too familiar with the 6 digit numerical codes that grant us entry to our favourite apps. Billions of OTPs ping back and forth through our networks everyday.

The Bureau PR team issued the statement below:

"Bureau acknowledges that the loss of the SMS OTP during login flow has come as a pleasant shock for many. We felt that we did what was in the best interest of the global mobile user community. Our actions have saved almost 600mil minutes of precious time for mobile users.

For years, we watched in silence as many users suffered from PTSD (Post Traumatic SMS Disorder). Stories of how innocent people were denied access to their accounts for no reason, other than failure to receive an SMS. Heartbreaking situations where mobile phones were flung across rooms and smashed to smithereens due to frustrated users waiting for OTPs.

This must stop. We have ended the tyranny of SMS OTP starting with user login, in the safest and most humane way possible. Please refer to OneTapLogin for details."

Ram, a long-time employee of Bureau (Names have been changed for protection) gave us some insight into how Bureau carried out its methodical elimination. He explained that OTPs for login are common because they fit the standard for secure account protection. A user is verified against "2-factor authentication" (2FA). This comprises of (1) something the user knows (2) something the user has. In the case of SMS OTPs, (1) is the user's phone number, and (2) is the OTP that the mobile number receives.

Smooth service depends on timely delivery of the OTP. An SMS can take anywhere between 10-30 secs to deliver depending on the network. Also, the recipient has to correctly enter the OTP to pass the authentication. However, there are ways in which account security can be breached. For example, in what is known as a phishing attack, users can be tricked into revealing their SMS OTPs by unscrupulous people who then go on to use the info to access personal accounts. Man-in-the-middle attacks are also possible, where bad users 'intercept' the OTP to gain unauthorised access.

OneTapLogin removes all the friction and risk attached to SMS OTPs. All the user needs to do, is enter her phone number and agree to login . Instead of only verifying the number and the OTP, we go one step further. Our technology checks match the phone number, the mobile device (SIM), the IP address of the user against the live telco (Mobile Network Operator) registry. Essentially, it means that anyone who wants to access your account needs to physically gain access to your phone, bypass all the other security controls required, before trying to access the app in question.

The entire authentication process needs less than 2 seconds before users are logged in.

While none of the Bureau team showed any remorse for the loss of so many SMSes, they believe that in time, more people will come around to embracing the security of OneTapLogin over OTP, and we should see better methods of authentication coming to replace SMS in user flows including transaction approvals.