Comment by endgame
4 months ago
It becomes much harder to force attestation on people if there's a significant user base that runs alternative operating systems.
4 months ago
It becomes much harder to force attestation on people if there's a significant user base that runs alternative operating systems.
I agree, but unfortunately I think the chances of that are just about zero. The reality is that the vast, vast majority of people don't care about software freedom. They care about the flashy marketing features in the newest iPhone (and competitors). I wish it were otherwise, but alas. Heck, you can't even get people to care about their physical freedom most of the time, let alone their digital life. It's hard to see this effort taking off as a result.
Do you really NEED to be forced to attest if you can make your phone look like any damn PC using a browser?
These days browsers are becoming increasingly distrusted. My bank logs my browser out after 30 minutes inactivity and then to log back in I have to confirm the login on my phone.
That… seems reasonable? My bank does that with their website and their mobile app. I was able to setup 2fa using a totp app, so i don’t rely on sms for that part
9 replies →
This isn't the browser not being trusted, it's access to the device the browser runs on. Forcing logout when idle, and authenticating again, is good in general to avoid leaving something accessible when walking away from it, even if it's a home computer that is otherwise "secured".
This seems desirable? Is your phone the only 2FA available?
webauthn cares about the strength of the authenticators used. Mobile has standard libraries for biometrics and secure enclaves. This is less common on desktops and laptops. Your bank may offer the ability to enroll a yubikey or similar.
I can’t tap my PC to buy a burrito at Chipotle.
So you pay more money and also give up your privacy for what you could pay cash for. I don't think you're the target market for this phone.
2 replies →
This sounds like a challenge to me.
4 replies →
I can tap my debit card to buy a burrito, no apps required on my end.
You seem to be part of the problem. As long as people like you are happy to run spyware on their phones for the sake of convenience or a meager discount, companies will be empowered to make such software and devices a requirement.
4 replies →
My bank doesn't let me do anything in the browser without 2FA, and the only 2FA they offer is their smartphone app.
My other bank offers 2FA via chip reader as an alternative. I guess that's somewhat viable for an alternative phone OS, if you want to carry the reader around with you
That might just be European banks though
That could be nice on the Librem 5 which has an integrated smartcard reader.
My bank is migrating online banking to an app-only platform. I could see attestation following very shortly afterwards.
Some banks require app confirmation for PC-initiated transactions, using play integrity requiring apps. Cause security, you know.
I think it's time to look for a new bank.
6 replies →
It's because it's way easier to install malware on PC than mobile. None of us are immune either. In recent times there has been malware distributed by common NPM packages as well as game mods. Every NPM package you install has the ability to steal your browser session tokens and the only thing stopping the attacker from actually logging in and spending your money is the fact it has to be confirmed on your phone.
2 replies →
What kind of transactions require this? Normal bank transactions don't, right?
15 replies →
Websites are starting to make use of passkeys and TPM stuff on the device for workflows where money is involved.