this post was submitted on 19 Jul 2023
6 points (100.0% liked)

AusFinance

993 readers
2 users here now

founded 1 year ago
MODERATORS
 

Do you happen to know banks that meet these criteria?

  • Telephone banking (of some fashion) provided
  • TOTP for 2FA is a) available and b) its use is not contingent on the use of an app; 2FA seeds are freely exportable by the user via web login
you are viewing a single comment's thread
view the rest of the comments
[–] Zagorath@aussie.zone 1 points 1 year ago (6 children)

Even weirder to me is what my bank does, which is use a third-party app (Symantec VIP) that is based on standard TOTP but wraps it in their own proprietary layer to prevent importing it into other apps. The bank gains absolutely nothing from this, and neither does the customer. If they wanna use a proprietary app with extra functionality like how Microsoft’s 2FA app does push notifications, I get that. If they want to push their own app for branding purposes, I hate that, but I get it. But why force me into a different company’s app that adds no value to the experience?

[–] RealVenom@aussie.zone 2 points 1 year ago (5 children)

Getting the user to use their app is pretty important. You may only be using TOTP now, but it allows for more intelligent multi factor authentication later on.

E.g. the app could check your risk profile, like where you're accessing from and if any impossible travel took place. They may add multi step auth like push notifications or biometrics.

By letting customers use Google authenticator you are limiting MFA to only TOTP. MFA isn't just an on and off switch anymore.

[–] ode@discuss.tchncs.de 2 points 1 year ago (1 children)

Intelligent is a euphemism for invasive.

~~Consumers~~ People who earn a living must have real choice in authentication options. It's unacceptable to freeze out open standards because an internal marketing projection suggests the bank will make a few dollars doing so. If I only want to employ login+passphrase+TOTP, that's my prerogative.

[–] RealVenom@aussie.zone 1 points 1 year ago

Is it though? No offence but the vast majority of "people" do not know authentication well enough to be given their choice of login method.

And when we entrust non-security vendors to implement their own authentication, you get situations like ServiceNSW encrypting and storing credentials with a 4 digit pin.

If a bank wants to use a security vendor to strengthen their authentication, that's better than the alternative, I'd prefer that to what I have experienced with one of the big 4 where they still use SMS.

load more comments (3 replies)
load more comments (3 replies)