Comment by kennywinker
6 months ago
That… seems reasonable? My bank does that with their website and their mobile app. I was able to setup 2fa using a totp app, so i don’t rely on sms for that part
6 months ago
That… seems reasonable? My bank does that with their website and their mobile app. I was able to setup 2fa using a totp app, so i don’t rely on sms for that part
It is given the environment. But it does highlight the poor security of desktop browsers where they are only trusted to do anything when a phone app approves it. While the phone app is considered secure enough to just stay logged in perpetually without any external confirmation.
To hack the banks app you have to find an exploit in iOS or Android which would allow you to read the other apps private storage, which is borderline impossible now. To hack the banks website you just have to buy some random browser extension and add malware to it, or break into someones NPM account and distribute it there, or any number of ways to run code on someone else's computer. Something very achievable by an individual.
> But it does highlight the poor security of desktop browsers where they are only trusted to do anything when a phone app approves it.
Does it? The browser doesn't do anything, the person sitting at the computer where the browser is running is what performs the actions. The reauthentication and 2fa is meant to authenticate and authorize the user, not the browser.
The attack vector of someone else using your phone using an app that doesn't require (re)authentication is independent of the browser or the app itself being trusted. That your bank doesn't periodically require some kind of re-authentication for their app is a security hole, but because the device could fall into the wrong hands, not because the code/app/browser used to access it isn't trusted.
That is true. I guess one of the main differences is the bank app can run a faceid check when you open the app and before you make a transaction while websites don't have access to these apis. So they are forced to make you approve the action via your phone.
3 replies →
It's not reasonable at all.
Could you elaborate on what part you find un-reasonable, and why?