Comment by CalRobert
20 days ago
In time, you will only be able to access banking from your desktop using an approved OS and browser with attestation...
20 days ago
In time, you will only be able to access banking from your desktop using an approved OS and browser with attestation...
For what conceivable reason would they make the users go on desktop, considering mobile is in the process of being fully locked down?
If anything, they'd eventually deny access from desktop, forcing everyone to login via the fully manages mobile devices without any user freedom.
Some banks are already getting there btw, as their preferred 2fa is a companion app... One small step away from making that the only option, effectively denying access to anyone without a locked down mobile device.
A recent real life example:
You can apply for an HSBC Global Money Account if you have: […] The HSBC UK Mobile Banking app (Global Money is only available via the app)
From https://www.hsbc.co.uk/current-accounts/products/global-mone...
It's already that way in my country. The few banks that still have the web version only support it for their business clients, and it's only something like two or three banks. If you're a regular client, there's not a single bank left that you can still use without a smartphone (unless you're ready to visit a branch for every little thing — so pretty much daily).
>(unless you're ready to visit a branch for every little thing — so pretty much daily).
What are you doing that you need to use your banking app daily?
It seems like a once a month affair. Pay the bills, take some cash out of the account, and you're done. Online shopping just needs a credit card, no apps required.
3 replies →
My bank’s app doesn’t even work or even install on my phone because the bank considers my phone too old. So if they suddenly required the app to log in, I simply wouldn’t be able to bank with them. So they would lose my checking, investment, and HSA business when I move to another bank.
I think they worded that poorly, but didn't mean what you got from it: the point I'd take isn't that they will require you to have a desktop, but that even desktop will also have the same restrictions, so it isn't just a mobile problem.
I see, that makes sense in hindsight.
And I have to agree, sadly. We've been inching towards that over the years, and it's entirely possible banks cease providing regular web access to their accounts (which this would necessitate).
But I think there will always be at least some banks that will have web frontend, so you'll just have to be pickier.
This happened to me recently in Austria, I had to get a new phone to be able to do internet banking. You can only use the app with attestation from the PlayStore, AppStore or surprisingly Huawai store.
When I complained repeately that this was forcing me into an American or Chinese ecosystem, they said that no one cares and I'm a minority :-(.
For the desktop, you need the phone for the 2FA.
What gp is saying is that to access banking form desktop will require an approved OS and attestation just like on mobile. The current state of affairs is that an approved OS and attestation are only required on mobile but not on desktop
most banks require 2FA or similar to confirm logins and operations. There is no way around it, this is the world we are heading towards: 2 companies in the entire planet decide who and what can be done online.
Actually my bank already requires me to use the phone app for any operation on the website. When I want to login from my laptop I need to use my phone with their app to approve the login, same for almost any operation.
Ah, and it can only be installed in one device at the same time :D Don't have your phone available? Bad luck for you
> can only be installed in one device at the same time
I neither like nor understand this restriction. It makes device failure / loss / theft a much more difficult experience to recover from than it would otherwise be. The device should be throwaway. I specifically keep old phones in case something happens to the new one.
WhatsApp is probably the stupidest example of only being able to be on a single device (but I'm forced to use WhatsApp for one specific purpose, so I already resent it). Signal does the same thing, so maybe it's related to the E2EE that WhatsApp licensed from Signal...
>WhatsApp is probably the stupidest example of only being able to be on a single device
that's not really an artificial limitation but a design choice. They don't store your messages, only deliver them. Once the message is on your device, it's gone from their servers, like old POP3 mail.
1 reply →
I use the Signal fork Molly to get messages on multiple phones. One remains the primary and the others linked, but I get messages even if the primary is off.
> It makes device failure / loss / theft a much more difficult experience to recover from than it would otherwise be.
As is with all two factor, but don't point that out, or the "but muh security" bros will shout you down.
1 reply →
I have a huge problem with companies using their own apps for 2FA.
Google started doing this for Gmail. To use Gmail on my laptop, I need to approve it with Gmail on my phone. I never signed up for this. I’m now afraid if I delete the Gmail app from my phone that I’ll lose access to my email.
I hate the direction “security” is taking us. It’s done in the name of security, but it feels more like blackmail to get and keep the company app on your phone.
Is that a thing Google logins can be set to require? I _can_ use the Gmail app on a device for 2FA, I can also press "try another method" and use any 2FA app.
1 reply →
i do like how many apps are starting to play nice with 3rd party authenticators. i use ms authenticator for a bunch of things. Although knowing MS it has some massive license fee for them to support.
De facto, this is already the case - you can use your computer as a display but to actually authorize a login or transaction you need your phone with said attestation.
Not true for either my AIB or Wise account.
True for PayPal though. I just recently had to jump through seven different hoops to verify my ID (with creepy, creepy face scans) and they absolutely refused to even start the process on desktop. Eventually got the stupid thing to work on my iPad; Android+Firefox was a no go, and it's stock Pixel 5a with Google OS.
Thankfully I don't actually rely on PayPal for anything serious, but there are artists whose commission I like to pay, and being able to actually pay them would be nice. :/
3 replies →
Does AIB still give out hardware 2fa code generators? I liked having it not tied to a phone.
1 reply →
A dedicated app on a locked down OS is vastly more controllable than something like a browser that can do virtually whatever it wants.
Controllable by whom? I don't do any banking on my phone exactly because I don't trust my phone to keep anything I do on my phone private.
How it generally works iso low risk operations have no restrictions, but if you want to send a large amount of money to a new contact, the banks make you approve the transaction on the phone app.
Phone apps are generally significantly more trusted because of the fact you can’t install malware that steals the session token, and they can do a Face ID check before any risky operations.