Comment by wouldbecouldbe
8 months ago
I understand but it’s not always with bad intentions.
In the Netherlands we have a system called DigiD to login into to most government websites like your taxes and city, etc.
When I contracted for the city of Amsterdam I learned they’ve been pushing hard for the DigiD app to two factor authenticate instead of text message, because of contracts Digid charges a lot per text message validation and none for app.
True, but it does force citizens into a contract with either Apple or Google. I don’t think that is a good idea both from the perspective of individual freedom and national sovereignty.
Nothing beats a hardware token.
I would also use Yubikey for banking, but I am scared as f. what happens if I lose it while traveling abroad.
I wish that was an option, in most cases the phone becomes the hardware token, and that can be lost too. Or broken, or out of power or without internet connection.
I even have a personal anecdote. My wife "lost" her phone in Iceland. I make her login to find-my-phone with her google account, and 2fa was needed. Thankfully she had her Yubikey in her keychain (plus, we enrolled each other's key), so she was able to login. Push notification or TOTP/SMS were all not an option.
I think it should be standard to allow registering multiple tokens, which would be equivalent to a backup for your purposes.
2 replies →
I don't want a hardware token generator since it is guaranteed that I will lose it.
Carry two, leave another in a safe somewhere in your home country?
Otherwise, yeah... Passkey it is
2 replies →
The DigiID app could interact with websites, that's how it works for many other digital IDs in europe.
For example with bankID (sweden, and I think the norway version does the same) when you need to authenticate you either scan a QR code with the bankID app or select "on the same device" and then the website will interact with the bankID API to auth.
Either way you don't need your own app to get proper auth working with this sort of government login.
(With bankID the app devs still pay a per-auth price, but that is not due to any technical reason, just because its made by a profit-driven semi-monopoly)
This is the exact same as DigiD, except that there is no cost per-auth, only per-sms. The parent comment is saying that Amsterdam wanted the users to install the DigiD app instead of relying on SMS authentication.
In this case there is also a perceivable benefit for the user. SMS 2FA is vulnerable to sim swapping, this is not possible when TOTPs are delivered in-app. The app is also FOSS [1], so even if you're paranoid you can still inspect what data is sent.
There are also just some things you cannot realistically do in the browser (or over SMS) without having to ship specialised hardware to 18 million people, like reading the NFC chip of your passport. This is needed for DigiD Substantieel and Hoog, which are mandated by the eIDAS regulations.
[1] https://github.com/MinBZK/woo-besluit-broncode-digid-app/
TOTP is able to be intercepted on the device.
Yes, and that's also true for SMS messages and your passwords. That is why having MFA is important.
3 replies →
This could have just been TOTP.
TOTP standard made sense, but mainstream implementation was user-hostile at the start with stuff like Google Authenticator not letting you copy keys, then afterwards still making it unclear under what circumstances they're backed up. Nowadays it's user-unfriendly at best.
I like how we went full-circle to Passkeys which are basically a "remember me FOREVER" button, implemented kinda like SSH keys. Should call it that too, and also ditch the like 4 prompts it gives you first.
>"remember me FOREVER" button, implemented kinda like SSH keys.
Here's a better idea: just use openssh or at least openssh's key formats since none of the big companies can manage anything better.
1 reply →
At that scale, the amount of support getting a city of people to understand that is overwhelming.