undefined | Better HN

0 pointsiggldiggl1y ago0 comments

> but I don't get why they aren't using plain TOTP, so you can use any authenticator app you'd like

Compared to the non-app solutions I'm familiar with in Germany, TOTP lacks at least two things:

1. There are no guarantees as to what happens to the shared secret (whereas at least some of these alternative solutions use your debit card as a smartcard to securely store the secret). From an individual point of view I guess that's perhaps a welcome trade-off (no backup solution except for manually registering a second key everywhere is part of the reason I'm not keen on Yubikeys and the like for replacing all my logins), but banks might have differing opinions.

2. Perhaps more importantly, you can't really authenticate the individual transaction, because the TOTP is only based on the (fixed) shared secret and the current time. The TAN generator solutions I'm familiar with on the other hand also include the destination account and sum of money to be transferred in the TAN calculation (and those get displayed for confirmation on the TAN generator's display), so a malicious website impersonating your bank's online banking can't forge those things.

0 comments

lifestyleguru1y ago

> Perhaps more importantly, you can't really authenticate the individual transaction,

> also include the destination account and sum of money to be transferred in the TAN calculation

Which banks have it implemented? You are giving them too much credit. In most cases their 2FA is simply code consisting of digits or tapping multiple "confirm" without any context inside of their losy apps. In my personal anecdotal experience only SMS 2FA contain some additional information what exactly are you confirming.

iggldigglOP1y ago

> Which banks have it implemented?

In Germany all banks here (https://www.kontofinder.de/ratgeber/tan-verfahren-ueberblick...) that are listed as supporting chipTAN [1], plus probably most of those that are listed as supporting photoTAN [2] allow using a hardware photoTAN generator instead of an app, too (though sadly some banks like Ing-Diba require their own proprietary photoTAN generator instead of a standard photoTAN-device as supported by some other banks).

[1] That one is using your debit card as a smartcard for the shared secret.

[2] That one requires the shared secret to be transmitted to you in some form (probably a QR-code or something similar in a letter) and set up in the photoTAN generator app/hardware device on first use.

j / k navigate · click thread line to collapse