Comment by bramhaag

8 months ago

In this case there is also a perceivable benefit for the user. SMS 2FA is vulnerable to sim swapping, this is not possible when TOTPs are delivered in-app. The app is also FOSS [1], so even if you're paranoid you can still inspect what data is sent.

There are also just some things you cannot realistically do in the browser (or over SMS) without having to ship specialised hardware to 18 million people, like reading the NFC chip of your passport. This is needed for DigiD Substantieel and Hoog, which are mandated by the eIDAS regulations.

[1] https://github.com/MinBZK/woo-besluit-broncode-digid-app/

5 comments

bramhaag

Reply
esseph  8 months ago

TOTP is able to be intercepted on the device.

  • bramhaag  8 months ago

    Yes, and that's also true for SMS messages and your passwords. That is why having MFA is important.

    • esseph  8 months ago

      You can't intercept a passkey in the same way.

      It is also far less likely to be phished, and there is nothing transmitted.

      TOTP is the modern WPA2 of security - it's just not good enough when better alternatives exist.

      2 replies →