We have long believed that complexity improves security. But the greater password friction made no one any safer. What’s worse is that this will breach a new duty that has nothing to do with security at all.
Last week, I tried to cancel an e-mandate and found myself in a world of pain. As I recall, it was super easy to set up the standing instruction—all I had to do was provide my credit card information and a one-time password, and we were done. But when it came time to cancel it, it soon became apparent that this would be a project in itself.
Complexity
To start with, my bank has created a separate website for customers who want to manage their e-mandates—one that is completely different from its online banking portal. The fact that I have to go through more hoops to stop a recurring payment than to set one up is a problem to begin with, but what made it worse was that it required a password so hard to remember that I had to start by setting up a new one in place of the one I had forgotten. Despite this, I found myself locked out after too many incorrect attempts with the new password.
This is not the first time that my bank’s insistence on complex passwords has given me grief. I have previously complained that not only do I have to change my online banking password every 6 months, each new one has to be different from any of the past three passwords I have used. To my chagrin, I recently discovered that this logic also extends to the 4-digit mPINs we have to use for mobile banking. It is no wonder that customers find themselves swimming in passwords they cannot recall.
To deal with these increasingly onerous requirements, I began to use a password manager. This, as anyone who has studied digital security will tell you, is an online safety best practice that lets you set a different, complex password for each website you use and store them all in an app protected by a single complex password. That, then, becomes the only password you have to remember; each time you log into a website, you just have to unlock the password manager and let it autofill the correct password.
And then, out of the blue, my bank disabled the use of password managers on its banking portal.
Friction
We often confuse greater friction with better security, assuming that the more painful it is for a user to log into a server, the harder it will be for hackers to follow suit. In doing so, we disregard the unintended consequences of that decision. Customers forced to use complex passwords will end up using formulaic, easy-to-remember ones. This is exactly the wrong outcome, given that not only are these passwords easy to guess, having figured out a formula, hackers will be able to decipher every subsequent password as well. What we need instead are better security workflows, ones that rely on multiple factors of authentication, that are easy to produce and which reduce the overall risk of a breach.
In 2025, the US National Institute of Standards and Technology formally abandoned the orthodoxy of forced complexity and periodic resets. Those rules, it said, actively produce weaker passwords, because people respond with predictable substitutions (as well as by writing them on sticky notes stuck to their monitors). Along similar lines, the Reserve Bank of India’s (RBI) Authentication Mechanisms for Digital Payment Transactions Directions (which came into force on April 2026) are tech-neutral, only requiring banks to ensure the robustness and integrity of the design of their authentication without specifying complexity requirements. Since the regulator has given banks leeway to do less, it is hard to understand why they insist on doing more.
Banks view authentication as a security concern. As a result, they measure compliance against that yardstick alone. But there is a second obligation that they often overlook—an additional duty they owe that turns the friction they chose to introduce into a significant liability.
An Additional Obligation
When I created the e-mandate, I consented to the use of my personal information, but retained the right to revoke that consent at any time of my choosing. This is a right that the Digital Personal Data Protection Act of 2023, now that it has been enacted, has enshrined in the Indian law. Section 6(4) states that the withdrawal of consent should not only be enabled, the ease of withdrawing consent should be “comparable to the ease with which such consent was given.”
Measured against that standard, my bank failed miserably. A separate website with yet another set of credentials—including a password that is too hard to remember—is an asymmetry of consent that is not just a quirk of clumsy design, it is a violation of the law.
The defence that businesses reflexively offer is that the cost of removing friction is a consequent reduction in safety. This is increasingly untrue as technologies exist that offer both greater safety and more convenience. Passkeys, for instance, constitute a popular technological device that replaces passwords with cryptographic keys stored on your mobile phone, offering even greater security while remaining easy to use. Since there is no shared secret to steal, they cannot be phished, and because each one is unique to the service that issued it, they cannot be re-used. What’s more, this is not a technology of the future—in response to RBI’s directions, both Visa and Mastercard have committed to rolling out passkeys for card payments in India.
My bank welcomed me, and then, in the name of security, made leaving a Sisyphean challenge of labour. The leading standards body and Indian regulator both disagree. Friction is not protecting me, it is sustaining a habit—and that habit has to go.