Comment by array_key_first

6 months ago

That's because they're stupid or doing something suspicious, probably both.

There's legitimately zero reason to allow 2FA only on your own propreitary app. You can't even make a financial argument - allowing other TOTP methods is cheaper because now you don't need an app!

11 comments

array_key_first

Reply
buzer  6 months ago

Unfortunately the EU regulation makes the truly user controlled 2FA methods essentially non-compliant.

https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...

> Article 7 Requirements of the elements categorised as possession

> 1. Payment service providers shall adopt measures to mitigate the risk that the elements of strong customer authentication categorised as possession are used by unauthorised parties.

> 2. The use by the payer of those elements shall be subject to measures designed to prevent replication of the elements.

  • jojobas  6 months ago

    This says something along the lines of "it should be hard to extract the TOTP secret".

    However if you can get so far as to get the secret from the TOTP app, you can as well back up the entire phone and restore elsewhere, can't you?

    • nh2  6 months ago

      No, because phones that lock keys in hardware effectively prevent that, and that works only with hardware that prevents its owners from having full control an doing what they want with their hardware.

      "Unextractable keys" works with hardware that you don't "truly own".

      2 replies →

weikju  6 months ago

> That's because they're stupid or doing something suspicious, probably both

Small comfort for whoever needs to use that bank. This is the disconnect geeks and Free Software needs to bridge to make any headway.

  • array_key_first  6 months ago

    I mean, I concur, but ultimately I can't fix shitty banks being shitty. No geeks can. Banks have been shitty for a long, long time.

    Do you know how we usually stop them from being shitty? Forcefully, with legislation.

  • exe34  6 months ago

    it costs basically nothing to change banks. you sign up to a new one and they transfer your account and direct debits. you just tell your employer where to send your next salary payment.