Fortis Fail

Recently Fortis started offering their "Easy Banking" application on iOS, which lets you do bank-transfers from your iPhone or iPad.

Before you can use "Easy Banking" you need to enable it on Fortis' website first where you have to choose a password. The problem I ran into was with their input validation on the password fields.

The default way of choosing a password is to type it twice, in separate input fields. One part of the validation is checking whether the two inputs are the same. Often it will also check the minimum length of the password. Or even the max-length, although I advise against that. You can't argue against longer passwords... Worse is when companies start checking your input and only allow certain character-sets. There's no point in this at all... People make their passwords more complex by adding in non-alphanumeric characters, they type them correctly, twice... and then the company says they have to simplify the password they're used to, or they won't take it. That is just ridiculous.

But with Fortis it's even worse. The problem is two-fold.

First, on the Fortis website where you choose your "Easy Banking" password, it does not allow non-alphanumeric characters in your password. That is silly in itself but the bigger problem is that they skip over input in their fields when a non-alphanumeric character is typed. Try to imagine... when you are hitting a '%' or '(' or '@' or any other non-alphanumeric character it just does not _type_ it in the field. This is so bad I can't even start describing it.

Thus, suppose your password has a '#' in it... let's say "p#ssword", without the quotes. If you type that in Fortis' input fields you will see this: ••••••• You tab to the next input field and repeat your password, again you see, without error: •••••••

You click OK and everything goes well. Fortis accepts the password because the passwords in both fields match. Cool, you think. I've got my password set up. Now let's get my iPhone and try out "Easy Banking"...

This is where we see the 2nd part to the problem.

In their iOS app's password field... unlike on their website, it does _not_ skip over non-alphanumeric characters. So when you type the above password in the app as you try to log in it will show: ••••••••

You hit "Login" and the application will fail to log you in because you provided wrong credentials. You then need to wait 2 minutes before trying again... With the same result, you can not log in. If you go back you'll see that on the website you only really typed 7 characters, Fortis took out the '#'... The iOS app takes 8 chars, as it should. No app should ever alter the password data you input in the field.

A user will not understand this… He did everything right, saw no error, but he cannot sign in.

I do not understand how BNP Paribas Fortis, a major bank, can be this outright ridiculous in the way they create their applications. Who do they think they're doing a favor by not allowing non-alphanumeric chars _and_ not telling their customers about it when they're just skipping over those characters. People effectively think they typed something twice but the password that is accepted by the website will be different from what you typed... You actually have to start counting the dots in the input fields to know if they match the amount of characters you have in your password.

Hopefully this will soon be fixed, but I'm afraid they don't even know about it themselves. This is a typical case of UX fail when companies try to validate too early and auto-correct input, definitely when dealing with people's passwords, on a banking website.