I don't want to be so picky but for someone like me - which I accept is possibly the minority - when a financial service
demands SMS OTP and refuses point blank to implement TOTP or U2F as an alternative, then yes, I definitely see this as soft KYC. It is compatible with "follow the money", knowing various logs will be created, even if it's not by the financial service themselves.
A working example of how negative SMS OTP is for foreign travel. The act of logging into a bank or the processing of transactions may at some point trigger an SMS OTP verification. For the customer this means:
- Use your home country SIM, which probably works but...
- it reveals and links who and where you are to the telcos and to all the people they share your data with.
- your home country SIM will expire if your stay is extended (definitely someone like me).
- you only have one SIM slot / phone and it's a PITA to switch SIM / drop the SIM / misplace it.
- Roaming may still be active even though you have disabled it in settings! This is 100% true, and the only way to be sure is to physically remove the SIM.
- I travel abroad and I don't know what my foreign phone number will be ahead of time, which is probably everyone.
- place a long distance call and sit in a queue for an hour before you can inform them of your new number and thereby reveal your current location, which should be none of their business. Assuming access to banking services but no forign ATM / in-store payments (which is also me).
- go online and upload new photos holding ID and so on. Not to mention the PITA it is to deal with time zones and weekends.
I realize I am the edge case here and many people are just super compliant, and the banks take advantage of this.
And I'm definitely not saying Dash Direct is in the same league as these banks! But I think if you have a technically savvy customer that is familiar with TOTP / U2P, then I think, why not offer it as an option? It doesn't strike me as particularly high maintenance code.
Regarding app usage vs the web. A lot of services have a nasty habit of building a captive audience and then adding all sorts of required permissions later. Again, I am not saying this is Dash Direct!!! But this behavior grows general caution and distrust among certain users.