Comment by niutech
21 days ago
Not necessarily. In Poland you can do banking with a web browser + SMS code or one-time code card, no special hardware needed.
21 days ago
Not necessarily. In Poland you can do banking with a web browser + SMS code or one-time code card, no special hardware needed.
An SMS code can only be received by a phone (special hardware, not a browser). An OTC smart card is likewise special hardware, not a browser.
Google voice is not special hardware. You’re confusing attestation with 2fa and that’s why you’re getting downvoted.
Yeah but Google Voice isn't something you're meant to use to receive SMS codes. That's very US specific, and if you go there you've undermined the security the bank was trying to provide.
The reason they used SMS codes for a while is because phones have always tried to block malware from reading your screen or SMS storage whereas PCs don't, and because phones can do remote attestation protocols to the network as part of their login sequence. The SIM card contains keys used to sign challenges, and the network only allows authorized radio firmwares to log on. So by sending a code to a phone you have some cryptographic assurance that it was received by the right user and viewed only by them.
2FA and RA are closely related for that reason. The second factor is dedicated hardware which enforces that only a human can interact with it, and which can prove its identity cryptographically to a remote server. The mobile switching center, in the case of SMS codes.
Obviously, this was a very crude system because malware on the PC could intercept the login after the user authorized, but at least it stopped usage of the account when the user wasn't around. Modern app based systems are much more secure.
4 replies →