Am I alone having difficulty logging in to (UK savings bank) https://www.nsandi.com, since they introduced two-factor authentication?
1. I go to the login screen https:/… (read more)
Am I alone having difficulty logging in to (UK savings bank) https://www.nsandi.com, since they introduced two-factor authentication?
1. I go to the login screen https://secure.nsandi.com/thc/policyenforcer/pages/loginB2C.jsf?chainingAction=true&MENU=true&forceLogin=true&q=54676c38-933e-46dd-90a7-7c8a5127a983&p=aa69b759-9e91-4f76-b9be-329d0f9685be&ts=1670588750&c=nsandi&e=nsisecure&rt=Safetynet&h=e4eb2ce3d2ca79deee6728fa3ba9fe55
which prompts me for my account details.
2. There's an "Accept cookies?" pop-up; I click reject all cookies.
3. I enter my login details.
4. There's an "Accept cookies?" pop-up; I click reject all cookies.
5. It takes me back to the login screen which prompts me for my account details.
6. I enter my login details.
7. I get a JSON error message
{"error":"ERROR_DURING_DEVICE_REVOKE","errorDescription":"ERROR_DURING_DEVICE_REVOKE"}
on what looks like a Firefox diagnostic screen; the "headers" tab shows this:
X-Firefox-Spdy: h2
cache-control: no-cache, no-store, max-age=0, must-revalidate
content-encoding: gzip
content-security-policy: frame-ancestors 'self' https://sbp-retail-prd-kyd-b2n-vip.nsi.local;
content-type: application/json
date: Fri, 09 Dec 2022 12:16:52 GMT
expires: 0
pragma: no-cache
referrer-policy: no-referrer-when-downgrade
server: nginx
strict-transport-security: max-age=31536000;preload
x-cdn: Imperva
x-content-type-options: nosniff, nosniff, nosniff
x-frame-options: SAMEORIGIN, SAMEORIGIN
x-iinfo: 5-7620738-7622339 PNYN RT(1670588150185 61257) q(0 0 0 -1) r(1 1) U6
x-xss-protection: 1; mode=block, 1; mode=block, 1; mode=block
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en;q=0.7,eo;q=0.3
Connection: keep-alive
Content-Length: 1182
Content-Type: application/x-www-form-urlencoded
DNT: 1
Host: auth.nsandi.com
Origin: https://auth.nsandi.com
Referer: https://auth.nsandi.com/api/ta/checkDevice
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-GPC: 1
TE: trailers
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0
8. I click the refresh/reload button
9. There's an "Accept cookies?" pop-up; I click reject all cookies.
10. The "Add trusted device" screen lets me choose a phone number to receive a one-time password.
11. There's an "Accept cookies?" pop-up; I click reject all cookies.
12. I receive the one-time password via text and enter it.
13. There's an "Accept cookies?" pop-up and (beneath it) a "Securing your browser ... please wait..." screen, which eventually is replaced by the "Your accounts screen".
14. I click reject all cookies and FINALLY I'm able to view my nsandi.com account details !
So there seems to be two issues
i. The need to enter my login details twice, and then reload the page on receiving JSON "ERROR_DURING_DEVICE_REVOKE"
ii. The fact that every step along the way, I get the same "Accept cookies?" pop up - surely having told it my cookie preferences it shouldn't be asking again and again and again...
Because the login dialogue takes me to three different URLs:
https://auth.nsandi.com
https://secure.nsandi.com
https://www.nsandi.com
... I wondered if Firefox's "Enhanced Tracking Protection" was interfering with communication between them (via the browser, during the login process). So I added all three to "Exceptions for enhanced tracking protection". But that didn't make any difference.
My work-around is to login using the Microsoft Edge browser. But it's a pain to having to remember to use my non-preferred/non-default browser for this one account.