I use Bitwarden as my password manager and it stores my PIN of dhan as well. However, when it autofills, all the digits are filled in one box only.
Bitwarden works perfectly on other website and looks like some minor enhancement would be needed from your side. Request you to kindly improve this.
Same issue I have. I use Bitwarden as well and would really love to have a TOTP-based solution rather than SMS OTPs.
Hello @sv28 @encore
Thank you for highlighting this. We will try and optimise for this particular password manager to ensure a seamless login experience.
@encore TOTP-based solution is something that we do not intend to introduce as a login method due to various vulnerabilities and possibilities of automating the same, especially via third-party applications.
I use Bitwarden too.
This issue can be solved easily by having a single textbox instead of having one box for one digit.
I know it looks cool this way but textbox of same size can also be made to look cool. And it will be easier on Auto-fill tools like bitwarden, lastpass
Also I do not agree that TOTP is vulnerable. If it was vulnerable Google, Cloudflare, Oracle cloud and hundreds of other platforms will not use it. They have definitely done more security study than Dhan did.
Why not give TOTP option and let users decide if they want to activate it or not? (like Upstox does)
Agree on TOTP.
TOTP is far superior and has been used by the world’s top companies for many years now.
TOTP can be easily automated using libraries like pyOTP. If you search for ‘TOTP automation’, you can easily get youtube videos for almost all platforms who use TOTP for login which can be automated.
At Dhan, we are extremely cautious about the access and privacy of user. This is the reason of not allowing third party TOTP based login.
@Hardik any ETA for the fix?
TOTP shared secret is stored in mobile. (Normally people use Google authenticator)
To automate TOTP, hacker needs to know the shared secret.
To get shared secret hacker needs to have access to internal storage of mobile.
If hacker has access to internal storage then he has access to SMS as well.
So overall both cases (SMS or TOTP) security can be compromised equally.
Additionally what can hacker do anyway? He can sell shares but money will still go to registered bank account of share holder. Not hacker’s account.
But anyway. Its your call.
Also google this:
is totp better than SMS
You will get the answers.
@Hardik a gentle reminder on this. This fix shouldn’t take much of your team’s bandwidth
@Hardik an update on this issue would be appreciated