undefined | Better HN

0 pointserinnh1y ago0 comments

This is definitely not the case everywhere.

Where I live the app is 100% needed because it’s the „second factor“ in the login process.

0 comments

There has to be a fallback like SMS and/or automated call.

For my banks the only fallback is a hardware device that you put your card into. Before the app you had to carry this everywhere when traveling to do online banking.

Too1y ago

SMS is magnitudes less secure than the Secure Enclave in my phone.

Fallback should never be the weakest link in a security chain. Especially not in something as high stakes as your banking login.

I can’t remember how I got my first bank token in my phone. Probably by physically showing up in the bank office with my id.

The_Colonel1y ago

SMS 2FA is not great, but still seems to be more secure than a rooted phone.

If your SMS OTP leaks to the attacker, they still need to know the first factor (password, biometrics) to gain access.

Meanwhile, if your rooted phone is controlled by an attacker ... that's it, the attacker has everything.

1 more reply

didntcheck1y ago

Agreed. Unfortunately almost every bank here forces me to use this less secure option "for security" due to my rooted phone. Not one has just offered standard TOTP (perhaps because the pull-only nature of it means they can't present the message explicitly telling the user what they're about to authorize. Which is an understandable qualm I guess)

eganist1y ago

> SMS is magnitudes less secure than the Secure Enclave in my phone.

The secure enclave on a rooted phone that no longer has execution integrity?

eganist1y ago

Curious, can you name this institution that only allows the app to be used as the second factor without fallbacks?

iforgotpassword1y ago

In Germany: all of them.

Well, some offer a hardware device for like 25€ that can do the same thing, but then if you have an account with multiple banks, you need multiple of these devices.

j / k navigate · click thread line to collapse

0 comments

The_Colonel1y ago

There has to be a fallback like SMS and/or automated call.

akvadrako1y ago

For my banks the only fallback is a hardware device that you put your card into. Before the app you had to carry this everywhere when traveling to do online banking.

Too1y ago

SMS is magnitudes less secure than the Secure Enclave in my phone.

Fallback should never be the weakest link in a security chain. Especially not in something as high stakes as your banking login.

I can’t remember how I got my first bank token in my phone. Probably by physically showing up in the bank office with my id.

The_Colonel1y ago

SMS 2FA is not great, but still seems to be more secure than a rooted phone.

If your SMS OTP leaks to the attacker, they still need to know the first factor (password, biometrics) to gain access.

Meanwhile, if your rooted phone is controlled by an attacker ... that's it, the attacker has everything.

1 more reply

didntcheck1y ago

eganist1y ago

> SMS is magnitudes less secure than the Secure Enclave in my phone.

The secure enclave on a rooted phone that no longer has execution integrity?

eganist1y ago

Curious, can you name this institution that only allows the app to be used as the second factor without fallbacks?

iforgotpassword1y ago

In Germany: all of them.

Well, some offer a hardware device for like 25€ that can do the same thing, but then if you have an account with multiple banks, you need multiple of these devices.

j / k navigate · click thread line to collapse