Comment by Aerroon
6 days ago
2FA is a requirement in Europe. I can't log into my bank account without my phone being able to run the app.
6 days ago
2FA is a requirement in Europe. I can't log into my bank account without my phone being able to run the app.
But 2FA is moot if it’s the same device as your bank app, is it not?
Yes. Please tell my bank that.
They know. The EU directive is quite clear that hw tokens are to be preferred over phones. Banks are cheap though and violate it.
Switch bank.
It is in the specific case that you don't have biometric or PIN login set up on the device and you use a password manager that doesn't require authentication. In that case, the only factor is "something you have". Otherwise, it is still a multi-factor authentication because the device itself still represents "something you have", and your device unlock represents "something you know" or "something you are".
Nearly all the security value of 1fa is that it keeps your users from picking the own passwords.
The "app" is probably a web page written in JS. Rarely its a native app in either Kotlin or Swift but then you have to maintain 2 different apps in 2 different languages with 2 different OSes for the devs. So unless the app really specifically requires something special, its just a web page. Even (and especially) your banking app.
2FA and Google SafetyNet are two completely different things. Your banking app can implement 2FA without SafetyNet.
It's Play Protect and Play Integrity now, not SafetyNet, in case anyone wants to look it up
I would stop using bank requiring phone app to do banking, simple as that, both my main EU accounts use sms verification codes and extra password, which is fine with me. If they will require an app, they will lose customer.
So what are you going to do when all of them requires it?
2fa does not mean smartphone. There are other variants too