I've been an Amazon customer for a whopping 23 years and I've never been as annoyed as I am today. I wanted to order two smartphones - and that was only compulsory because the damn manufacturers no longer deliver updates and thus declare completely sufficient hardware (here Pixel 3a) to be an environmental mess. And then Amazon tells me in the checkout area: Delivery only against a one-time password. Dear boys and girls – nope.
About a year ago there were reports that Amazon would now also take care of parcel delivery for expensive deliveries (whatever that means exactly). OTP's introduce. Means: When you place your order, you will receive a one-time password by e-mail, which is valid until the day of delivery and must be communicated to the supplier - on site, at the door. Sense of the thing: security. So it's no longer enough just living at the delivery address, no, you also have to prove that you have access to the email account. So that's what it's supposed to achieve.
What it really achieves: I order from media market. OTPs for packet handovers are utter nonsense. There's a fairly well-established way of verifying identity -- it's called ID. And if someone else should accept the package? Is there also a solution for that Power of attorney, where an OTP actually has its appeal. DHL messengers and branches have the receipt acknowledged, and the package is delivered with legal certainty. Amazon messengers never wanted a signature from me, often enough packages end up at unspecified residents, and of course they don't have a branch to hand them over.
If everything perfect running, an OTP may at least work: I am personally at the door anyway, I know the password by heart (well, let's see...), the Amazon delivery man understands me clearly and can immediately verify the password and then little singing birds come along unpack my package, carry me into the apartment and then cook me something.
What if things don't go perfectly? Delivery against signature at the neighbor? no Password not ready by heart: Wait a minute dear supplier, I just have to boot my computer for 10 minutes, log in and print out the password... Or if the smartphone battery is empty, then it might only take 5 minutes. I'm not a tech? What the heck is an OTP?
So what's the nonsense? Well, of course you can argue there. The messenger will probably enter the OTP presented and an app will then release the handover - this is also proof that the successful OTP entry should be logged. In contrast to the signature is with it no contact necessary! A neighbor's signature may also be legally sufficient, but if he denies having signed something, who will call him? graphological reviewer? Or if the neighbor actually did not sign, but "someone"? With OTP, it doesn't matter - whoever has the correct OTP is the legitimate recipient. So there could definitely be advantages for Amazon. For Amazon!
Before which scenarios can an OTP protect at all? Before thieving Neighbors? Theoretically, certainly, but who steals from the next-door neighbor's door and signs for it? Before thieving roommates? That too, but if you live in such a flat share or family, you should have completely different problems ... Vor hacked Amazon accounts? Yes, but an ID does the same thing. Before thieving non-neighbors? Some couriers sometimes drop off packages two streets away, not with neighbors, but with complete strangers – perhaps the reluctance is less there, although then of course they would still sign for the theft… From thieves messengers? Definitely, an illegible signature on the scanner, a tick next to "Hand over to a resident", done quickly and relatively safely.
The potential problems with neighbors, roommates and hacked Amazon accounts can now be countered with established remedies: handover just at the delivery address and if necessary just to the recipient himself, to be proven by means of an ID card (as in the parcel shop, too...). The courier himself could of course forge it - here it is the person who verifies. What the messenger could not forge: An OTP - here it is technology that verifies. Perhaps the last sentence on the only good will "Source of Information" Amazon's website to be mentioned is the key: "Don't tell the driver the one-time password over the phone." Surely drivers with packages won't have escaped?
Safety always comes at the expense of comfort. And yes, I also recommend users to use things like two-factor authentication and password safes - more security, less convenience. But with the package OTPs I only see security benefits for Amazon and decline in comfort for customers. Well, as a digital power of attorney, an OTP is certainly a convenience gain, but that's not the point, it's more of a nice side effect.
All rolls in me scream: As a journalist I see bad press and (further) image damage, as a trained retailer I miss the "customer is king" attitude, as a customer I don't want to deal with things like "OTP" and as a former BSI employee I miss it I also need any transparency - anyone throwing around any crypto stuff should also provide information on how the OTPs are created, how they are sent and verified. Only the role of information manager could perhaps gain something from the concept, that was such a degree, that actionist management ideas was quite open to …
I can't help but the more I think about it, the more this OTP handover stuff looks like Amazon is trying to protect me from their own delivery services. I would have established tips for this too: Hire drivers instead of subcontractors, pay properly and have good personnel take care of everything.
If you think OTP packet transfers are great and I've missed something, complain to me in the comments. If you don't like them either, complain to Amazon in the comments ;) And according to the motto "Money doesn't stink:"