Meralco is a good example of a company overdoing online security in places where the actual risk is low.
Meralco is a utility company. It is not a bank, an e-wallet provider, or a financial institution holding customer funds. The information it needs to protect—customer name, service address, and billing amount—is important, but it does not carry the same risk profile as banking credentials or stored monetary value. The security approach should reflect that difference.
A Bill You Can See but Not Easily Get
When Meralco notifies customers that a monthly bill is available, the notification already displays the bill amount. That means the information is already deemed safe enough to transmit. Despite that, the actual PDF copy of the bill is not included.
To obtain it, customers must log in to the website, navigate through several pages, dismiss pop-ups, and repeat the process for each registered account each month. All this just to download a document that could have been emailed to me in the first place. Encrypt the PDF if you want—I do not care. Just send it.
Login Restrictions That Add Friction, Not Security
The login experience also raises questions about proportionality.
Pasting a password is allowed, but keyboard-based autofill—commonly used by password managers to populate both email address and password—is blocked. This forces manual entry of the email address while offering no meaningful improvement in security. It prevents convenience, not misuse.
Logging in from a different device also requires a one-time password sent to a registered mobile number. This is reasonable for high-risk actions, but for viewing or downloading a bill, it feels misaligned with the nature of the transaction. There are no funds to move—only a balance to view.
Repeating the Same Process, Every Month
For users managing multiple Meralco accounts under one profile, this experience is multiplied. Using the website for account administration is understandable. Being required to go through the same multi-step process every month, for every account, just to download bills is not.
This is a problem with workflow design, not user behavior.
A Simpler, More Balanced Approach
Emailing the monthly bill as a PDF would resolve most of these issues immediately. The website can remain the place for account management and changes. Routine access to a billing document should not require repeated navigation through a heavily restricted interface.
Good digital security should be based on balance—strong where risk is high, and simple where it is not.