Comment by bombcar
4 months ago
Do you really NEED to be forced to attest if you can make your phone look like any damn PC using a browser?
4 months ago
Do you really NEED to be forced to attest if you can make your phone look like any damn PC using a browser?
These days browsers are becoming increasingly distrusted. My bank logs my browser out after 30 minutes inactivity and then to log back in I have to confirm the login on my phone.
That… seems reasonable? My bank does that with their website and their mobile app. I was able to setup 2fa using a totp app, so i don’t rely on sms for that part
It is given the environment. But it does highlight the poor security of desktop browsers where they are only trusted to do anything when a phone app approves it. While the phone app is considered secure enough to just stay logged in perpetually without any external confirmation.
To hack the banks app you have to find an exploit in iOS or Android which would allow you to read the other apps private storage, which is borderline impossible now. To hack the banks website you just have to buy some random browser extension and add malware to it, or break into someones NPM account and distribute it there, or any number of ways to run code on someone else's computer. Something very achievable by an individual.
5 replies →
It's not reasonable at all.
1 reply →
This isn't the browser not being trusted, it's access to the device the browser runs on. Forcing logout when idle, and authenticating again, is good in general to avoid leaving something accessible when walking away from it, even if it's a home computer that is otherwise "secured".
This seems desirable? Is your phone the only 2FA available?
webauthn cares about the strength of the authenticators used. Mobile has standard libraries for biometrics and secure enclaves. This is less common on desktops and laptops. Your bank may offer the ability to enroll a yubikey or similar.
I can’t tap my PC to buy a burrito at Chipotle.
So you pay more money and also give up your privacy for what you could pay cash for. I don't think you're the target market for this phone.
I pay less money for my burrito than I would with cash, but the reason I use my phone is convenience, not cost.
> I don't think you're the target market for this phone.
My comment is downstream of the entertaining of a possibility of:
> a significant user base that runs alternative operating systems
... which isn't going to happen if you ask your users to give up commonly used features. It will forever be a niche project, at best.
1 reply →
This sounds like a challenge to me.
It’s actually super easy and not a challenge. The lowest tech way to do it would be the tape a cc with tap functionality to the inside of a laptop.
2 replies →
I took "tap to pay" being clicking on Order in an app; and I have certainly made a "online order" from inside the Chipotle, on their wifi with my laptop (usually because walking to the counter would cost more because of stupid promotions).
It makes more sense that they're referring to Apple Pay or similar shenanigans (which itself is more annoying than a credit card, to be honest, Face ID goes wrong or the double click closes the wallet app instead of authenticating way too many times, especially if you're trying to do it one-handed).
I can tap my debit card to buy a burrito, no apps required on my end.
You seem to be part of the problem. As long as people like you are happy to run spyware on their phones for the sake of convenience or a meager discount, companies will be empowered to make such software and devices a requirement.
Do you think the same for using credit cards in general or is using the phone somehow worse?
3 replies →
My bank doesn't let me do anything in the browser without 2FA, and the only 2FA they offer is their smartphone app.
My other bank offers 2FA via chip reader as an alternative. I guess that's somewhat viable for an alternative phone OS, if you want to carry the reader around with you
That might just be European banks though
That could be nice on the Librem 5 which has an integrated smartcard reader.
My bank is migrating online banking to an app-only platform. I could see attestation following very shortly afterwards.
Some banks require app confirmation for PC-initiated transactions, using play integrity requiring apps. Cause security, you know.
I think it's time to look for a new bank.
In my country we have a large religious community that eschews smartphones. Due to this no company or government agency requires a smartphone for service.
5 replies →
It's because it's way easier to install malware on PC than mobile. None of us are immune either. In recent times there has been malware distributed by common NPM packages as well as game mods. Every NPM package you install has the ability to steal your browser session tokens and the only thing stopping the attacker from actually logging in and spending your money is the fact it has to be confirmed on your phone.
Choosing between a risk of that and preinstalled non-removable malware in every phone? Tough one, I know.
That doesn't require a bank approved app - we already have authentication mechanisms that are standardized.
People do proprietary bullshit because they want to do proprietary bullshit. Anything else is made up.
What kind of transactions require this? Normal bank transactions don't, right?
Fraud prevention on my primary transaction account requires 2FA for every transfer.
The only supported 2FA is the bank's own dedicated 2FA app.
1 reply →
Depends on the bank's policies. Currently it tends to be when you transfer to a new destination and/or above a certain amount. I could certainly imagine a bank requiring it for every PC-initiated transaction as and when they reach a point where most normie customers are using their app.
4 replies →
My brokerages require it every time I login from a computer. My bank will require it if it can't find a cookie from a previous login session. Occasionally, my bank will require it seemingly randomly since I usually log in at least once a week from my laptop yet every couple of months or so I have to reconfirm on the app or another secondary method.
1 reply →
Transfer of more than a set amount between even your own accounts in different banks.
5 replies →
Websites are starting to make use of passkeys and TPM stuff on the device for workflows where money is involved.