When I log into my ISA, I get asked for three random digits from my password. Weirdly enough, I managed to set my password wrongly when I set up the account, so don’t actually know to the last digit of my password.

Whenever it asks me for that digit on logon/trade I just click cancel and it asks for another 3 random characters ( which would generally not include the last digit, but if they do I just press cancel again to regenerate again). I type in the password and continue.

This idea that I essentially get to choose which digits of my password I supply ( or strictly speaking the ones I don’t supply) seems inherently insecure. I thought the whole point of these partial passwords was that you are never typing in your full password, and hence anyone observing you ( physically or electronically) has very little chance of gaining the info they need to supply the requested digits when they try to login themselves. If you give them the option of declining requests repeatedly until they get asked for the password they DO know, then surely that is less secure…

Clearly the scenario I have painted isn’t too much of an issue given the numbers involved. But the principle remains true, and becomes more likely if for example someone observed 6 characters out of a 12 digit password.

Whaddaya think?

The idea is that if you ever have to authenticate yourself to a person, that person won’t instantly know all of your password.

It also means, that should your computer be compromised (by means of a keylogger for instance) the baddie won’t get your whole password.

The fact you don’t have to provide all of it each time is inherently a good thing, it’s just been poorly implemented by your ISA provider. I think the SCA rules mean you should be asked for the same characters until you get them right, but I could easily be wrong on that.

Hi Jim,
Yes indeed, that’s what I think. Just spoke to them on the phone and they weren’t bothered.

Just tried my current account bank logon and it solidly requested the same three digits regardless of me retrying. Even on a different browser.

Then when I tried on my phone it got fed up and locked me out for ten minutes…. Much better.

. I think the SCA rules mean you should be asked for the same characters until you get them right, but I could easily be wrong on that.

Had a quick Google, but didn’t find it. Be cool if you did have info.

Then when I tried on my phone it got fed up and locked me out for ten minutes…

When the lock expired and I tried to login again from my phone it was most insistent that I supply the three digits it originally asked for 20 minutes ago on my initial Chrome session. Good old the current account bank.

I think the SCA rules mean you should be asked for the same characters until you get them right, but I could easily be wrong on that.

My ISA does that, hit F5 and you just get the same 3 requested.

It’s to slow you down if you’re guessing characters; if it constantly asked for the same 3 you could sit guessing until you were correct, if it brings up a different three for you to guess, it removes all the characters you have already guessed incorrectly because you’re back to a full set to guess from.

It’s to slow you down if you’re guessing characters; if it constantly asked for the same 3 you could sit guessing until you were correct

Pretty sure it will lock you out / lock the account if you have too many failed attempts.

Had a quick Google, but didn’t find it. Be cool if you did have info.

Regulatory Technical Standards for Strong Customer Authentication – https://www.fca.org.uk/publication/policy/ps19-26.pdf

Article 6 just says you have to do something about making sure knowledge elements stay secure, it doesn’t specify what.

You could argue they are in breach of Article 22 (ensuring confidentiality) but what ever they have built is likely have been signed off as meeting the regulations. You do get a certain amount of autonomy from the FCA where there isn’t a defined method.

There might be something in the later articles, but I’ve already got weary eyes 🙂

Just tried my current account bank logon and it solidly requested the same three digits regardless of me retrying. Even on a different browser.

Same its those three or lockout for me.

The banks wluld probably prefer people stole your actual cash than their credit though so make it a bit easier.

Pretty sure it will lock you out / lock the account if you have too many failed attempts

So if that’s the case why does it matter either way if it asks you for new characters or not?