Comment by ignoramous
17 days ago
> It's funny that the EU uses all this mobile attestation BS more than the US does
Attestation in on itself isn't unwarranted which (to me) is an important security measure. Attestation as commonly implemented on Android via Play Integrity (the way banking apps are known to do) is restrictive, sure: https://grapheneos.org/articles/attestation-compatibility-gu... / https://archive.is/snGEu
> important security measure
It's a security measure against the owner of the device, in other words, an attack. Would you be okay with me using a remote control to forcibly slow down your car so I can merge? Using attestation this way is fundamentally incompatible with ownership. If the bank wants some assurance about a device, they need to sell or issue one to me, like credit cards or point of sale machines, which are explicitly not your property.
The fact that the assurance is provided by a third party you have little recourse against just adds insult to injury.
>against the owner of the device
Would you consider MFA to be a measure against you, the owner of the device, because it makes it harder for you to login?
>If the bank wants some assurance about a device, they need to sell or issue one to me
They are offering you free software and are operating under a security model tied to these specific devices. You're still free to walk into their branches, or use their physical cards, if you prefer not use their limited selection of devices.
>Would you be okay with me using a remote control to forcibly slow down your car
Car manufacturers do this as well though. Some of this is for the benefit of their customers (preventing theft from easily cloned keys). Some of this is not for customer benefit, like locking down infotainment systems.
Banks however are only interested in preventing fraud.
> Would you consider MFA to be a measure against you, the owner of the device, because it makes it harder for you to login?
In theory - of course, it shouldn't make it any harder for _me_ to login, it's just that in practice the friction is inevitable since it can't distinguish between me and someone else without it.
> You're still free to walk into their branches, or use their physical cards, if you prefer not use their limited selection of devices.
The point is that this freedom is going away. I'd absolutely want to use their physical cards (there are smartcards with e-ink displays which would be a great thing for confirming payments), but no, they're slowly taking this away, starting by limiting transfers done without their mobile app.
And _their_ mobile app needs to invade __my__ property by locking down the system. I understand this might be neccessary to ensure the UI can be trusted, but this shouldn't happen on my device as it restricts my ability to do completely unrelated things.
> MFA to be a measure against you
Not really, unless the MFA involves the same type of attestation involved in the process. TOTP is fine, and you can put it in your password manager to avoid phones, and can be done without consenting to any spying. And I don't really own the account anyway.
> use their physical cards
The premise of this discussion is these will get replaced by the hostile phone app, since the Europeans are too lazy to make a proper replacement.
> locking down infotainment systems
I don't agree with that either, but you can presumably buy a car without one, and you'd still be allowed to drive. What if the government says, you can't drive anymore UNLESS you use the locked down infotainment system and consent to all the ads/spying that comes with it?
> If the bank wants some assurance about a device, they need to sell or issue one to me, like credit cards or point of sale machines, which are explicitly not your property.
In this example, a banking app is not making the entire Android device non functional when it refuses to work when remote attestation like Play Integrity fails.
It is colluding with a third party to increase their power. What devices pass Play Integrity? Yeah, the same ones with all the telemetry and spying that you can't remove. I thought the government is supposed to protect consumer rights, not to tilt the playing field even further.
Like I said, I'd be fine if they offer a viable alternative, like a card or a physical authentication dongle (which doesn't require spyware to use).
I don't want to depend on google and android for EU mobile attestation or the like. I didn't think anyone wants government enforced duopolies.
An important security measure for who, though? The servers at the bank should "never trust the client" in case the attestation is bypassed or compromised, which is always a risk at scale.
If it's an important safety measure _for me_, shouldn't I get to decide whether I need it based on context?
I think it's fair for banks to apply different risk scores based on the signals they have available (including attestation state), but I also don't want the financial system, government & big tech platforms to have a hard veto on what devices I compute with.
It's an anti-brute-force mechanism. It's not for you, it's for all the other accounts that an unattested phone (or a bot posing as an unattested phone that just stole somebody's credentials via some 0-day data exfiltration exploit) may be trying to access.
Sure, banks could probably build a mechanism that lets some users opt out of this, just as they could add a Klingon localization to their apps. There just isn't enough demand.
If you work on mobile apps you will notice that full attestation is too slow to put in the login path. [This might be better than it used to be, now in 2026].
I don't think a good security engineer would rely on atty as "front line" anti brute force control since bypasses are not that rare. But yeah you might incorporate it into the flow. Just like captchas, rate limiting, fingerprints etc and all the other controls you need for web, anyway.
I know I'm quibbling. My concern is that future where banks can "trust the client" is a future of total big tech capture of computing platforms, and I know banks and government don't really care, but I do.
8 replies →