i think the EU should pass legislation that enforces standards based 2factor auth (like totp/hotp) for banks, health insurance etc. it is absolutely unacceptable that people are forced to buy android/ios smartphones to use critical services
@mntmn I am quite happy that my bank supports a really secure 2FA: ChipTAN. It needs an extra device, yes, but the TANs are generated from a secret stored on my GiroCard and data about the transaction.
@mntmn better yet, EU should pass legislation that requires all ID authentication software to be owned by the public, open source, and entirely system agnostic.
it's insane that digital ID is privatized, mandatory, and yet only supported on android and ios - preventing european competition from entering the market.
hell, windows should be banned from use within governments. why the hell is a foreign corporation paid billions of public money annually when we could use taxes to develop our own?
@mntmn They have something like this in Sweden; it’s called BankID, and while most people use a mobile app, there is also (IIRC) a desktop implementation using a smartcard and a USB-powered reader.
@mntmn my bank in my home country has been using these for decades… in addition they offer an app… but the app still requieres the code from the token generator in addition to the regular password. In addition for some unusual transactions it will ask for an extra sms based OTP. We don’t have laws requiring banks to do that.
@mntmn@theartlav I asked my bank to send me one of those hardware token generators where you put your girocard in. It works perfectly and I prefer that over another app (also for security reasons). It cost like 20 euros (once), and I'm happy with it.
@lanodan There are a lot of contradictions with banks, but we can't blame them for following the actual regulations…
Moreover credit cards neither are contextual: the regulation says that the MFA device must display the information about the transaction you are validating, such as the amount or company's name. Good luck with your credit card though ^^'
By the way, company's name is pretty much bullshit as demonstrated many times over with: Company names not being unique (see issues with EV certificates), porn sites using ~shell companies, payment processors (Stripe, Paypal, …) being the ones shown when the business isn't doing it by itself, …
And the amount also is because by design you can charge a card again so subscriptions work.
@lanodan TBH I would be quite satisfied with some FIDO2 authentication…
Moreover because the strong authentication for online payments is still up to the vendor website, so completely useless when you see that even for banks it's not enabled (coucou La Poste).
Any scammer can order anything from almost anywhere x)
Add comment