Comment by TeMPOraL
4 months ago
Because your bank isn't even trying to be secure, relative to what's considered industry standard.
Be grateful while it lasts.
4 months ago
Because your bank isn't even trying to be secure, relative to what's considered industry standard.
Be grateful while it lasts.
Why do you think their bank "isn't even trying to be secure"?
Because SMS is not considered a secure 2FA mechanism anymore, and hasn't been for a while. If that's the default for that bank, and not GP going out of their way to pick a legacy access path, then they're about a decade behind what's considered industry standard -- which today is querying a second factor not just per login, but also per important operations (money transfers, dispositions, changes in settings), with the second factor being by default a smartphone with hardware and software integrity verified via remote attestation.
Then literally every US business and government is not trying to be secure. I cannot name a single organization that does not have the option of or requires SMS 2FA.
I think the government and large businesses like it that way, as it makes the mobile network providers as a sort of credit check (or “are you worth dealing with”) mechanism.
1 reply →
I haven't heard a compelling reason why remote attestation is more secure.
The whole point of 2FA was to have two devices that you own. Now the bank is forcing your login and 2FA to be on the same device. Which is the easiest device to steal.
What about SMS is somehow worse than that?
4 replies →
Uh, banks still provide separate tokens and one time pad cards last I've heard.
If yours doesn't, pick one that does.
1 reply →