For the past 15 years, F-Droidhas provided a safe and secure haven for Android users around the world tofind and install free and open source apps. When cont...
I don’t know about the US but on this side of the pond banks have their own 2nd factor apps. So to log in to a bank’s website you need an app - quite probably with play integrity.
I’ve been using a dedicated TAN generator for banking since I first made my account but I don’t doubt that’s going away at some point, since debit cards from the same bank already require an app for 3-D secure.
No, hardware TAN generator work fine. If the bank wants to force me to use proprietary snake oil it’s time for a new bank. Or using a dedicated old smartphone just for the app.
That sounds extremely inconvenient. Individual apps for 2FA? No thanks. I’m good with KeePass and Aegis, both open source, encrypted, and don’t require any extra hardware.
Dang. Y’all need to pick better credit unions. MFA rolling token is an open standard. Any single app can support all of my (correctly implemented) tokens. I prefer Aegis, but they (correctly implemented MFA apps) all work.
I don’t want to trust my money to someone who can’t implement standards compliant MFA.
Well, they have a kind of 2FA since at least 30 years, long before rolling tokens were all over the place. Their latest implementations are as simple to use as Steam 2FA. If a bank isn’t able to implement a proper 2FA login there’s a ton of other security issues to worry about.
Lastly, I think by using their own implementation/app they prevent their customers from using compromised apps.
If a bank isn’t able to implement a proper 2FA login there’s a ton of other security issues to worry about.
Exactly. Any organization whose MFA doesn’t work on Aegis, I take action to protect myself from their incompetence.
Lastly, I think by using their own implementation/app they prevent their customers from using compromised apps.
I’m sure they claim that. But I still recognize it as simple incompetence. They aren’t able or willing to hire someone with the Cybersecurity expertise to implement a relatively simple open specification.
Y’all are welcome to risk your money there. It’s probably insured anyway, right?
For me, that’s too much risk. Even if insurance makes me whole, getting robbed is a huge pain.
Exactly. Any organization whose MFA doesn’t work on Aegis, I take action to protect myself from their incompetence.
That’ll surely end their business. /s
I’m sure they claim that. But I still recognize it as simple incompetence. They aren’t able or willing to hire someone with the Cybersecurity expertise to implement a relatively simple open specification.
Just out of curiosity: What percentage of the population is capable of running Graphene/Aegis? What percentage, regardless of capability, is willing to do so?
Creators of popular OSS regularly warn about downloading their stuff elsewhere or pay for it. How do you think that would apply to any 2FA application?
Now think of how stupid the average person is, and realize half of them are stupider than that. (love some George Carlin). Given that even (very) stupid people have and need bank accounts: How would you implement an authentication that can’t easily be compromised to ripp off stupid people?*
* Let’s just assume that you, the lead developer, are not at all “incompetent”, quite the opposite. Also take into consideration that you need to keep cost down (hint: That means you want no one to call support because of 3rd party applications!).
The credit union mplements (purchases from a competent vendor) their own custom branded standards compliant MFA solution.
This is what competent organizations already do.
Because the app is standards compliant, experts use Aegis instead of the branded app. Everyone else sticks with the branded app.
Also because the app is standards compliant, provided by a specialized vendor, and occasionally being used in unusual ways by expert users, serious security mistakes are much less likely to happen, and less likely to only be noticed by attackers.
I don’t expect my credit union to tell me to use Aegis - I expect them to use a credible MFA vendor that interoperates correctly when I do use Aegis.
Banks use their app to generate the otp and they reinvented the wheel so if you want to login you need to install it, can’t use a generic authenticator. I am not aware of any single bank in the EU that allows the use of generic authenticators.
For McDonald’s, using the app gives at least 50% off. A menu in the app costs 5 euro while on the store kiosk costs 12 euro. I do not personally care because I find their food to be just barely edible, but I understand why there’s a need to install the app
My bank had a device that was basically a simple android phone running the 2fa app. The phone app got updated through new versions and eventually got the drm treatment, but the old app keeps working because it is still running on those dedicated 2fa “devices”.
Naturally the bank is now trying their best to make people deregister the old “devices” and switch to only the “app”.
The old app has no internet permissions. It reads qr from the camera and shows verification as a 6 digit code.
The new app has internet permissions and is integrated with other apps so you can conveniently accept the request of your banking app in the 2fa app (on the same phone) with a single tap via an overlay. 2fa.
Counterpoint: I use the McDonald’s app where it belongs - on a giant greasy ordering kiosk.
But seriously, banks have websites. Everyone and everything has a website.
I don’t need Android apps at the cost of my privacy or at the cost of control of my devices.
I use GrapheneOS as my only phone, and I have done so for years.
Whatever the topic, I don’t need an app for that.
I don’t know about the US but on this side of the pond banks have their own 2nd factor apps. So to log in to a bank’s website you need an app - quite probably with play integrity.
That’s insane, I have never heard of such a thing, but I’m in the US where most banks don’t even have non-sms second factor.
I’ve been using a dedicated TAN generator for banking since I first made my account but I don’t doubt that’s going away at some point, since debit cards from the same bank already require an app for 3-D secure.
In America, we’re lucky if our bank supports 2fa, let alone require an app for it
No, hardware TAN generator work fine. If the bank wants to force me to use proprietary snake oil it’s time for a new bank. Or using a dedicated old smartphone just for the app.
That sounds extremely inconvenient. Individual apps for 2FA? No thanks. I’m good with KeePass and Aegis, both open source, encrypted, and don’t require any extra hardware.
Dang. Y’all need to pick better credit unions. MFA rolling token is an open standard. Any single app can support all of my (correctly implemented) tokens. I prefer Aegis, but they (correctly implemented MFA apps) all work.
I don’t want to trust my money to someone who can’t implement standards compliant MFA.
That would scare the daylights out of me.
Well, they have a kind of 2FA since at least 30 years, long before rolling tokens were all over the place. Their latest implementations are as simple to use as Steam 2FA. If a bank isn’t able to implement a proper 2FA login there’s a ton of other security issues to worry about. Lastly, I think by using their own implementation/app they prevent their customers from using compromised apps.
Exactly. Any organization whose MFA doesn’t work on Aegis, I take action to protect myself from their incompetence.
I’m sure they claim that. But I still recognize it as simple incompetence. They aren’t able or willing to hire someone with the Cybersecurity expertise to implement a relatively simple open specification.
Y’all are welcome to risk your money there. It’s probably insured anyway, right?
For me, that’s too much risk. Even if insurance makes me whole, getting robbed is a huge pain.
That’ll surely end their business. /s
Just out of curiosity: What percentage of the population is capable of running Graphene/Aegis? What percentage, regardless of capability, is willing to do so?
Creators of popular OSS regularly warn about downloading their stuff elsewhere or pay for it. How do you think that would apply to any 2FA application?
Now think of how stupid the average person is, and realize half of them are stupider than that. (love some George Carlin). Given that even (very) stupid people have and need bank accounts: How would you implement an authentication that can’t easily be compromised to ripp off stupid people?*
* Let’s just assume that you, the lead developer, are not at all “incompetent”, quite the opposite. Also take into consideration that you need to keep cost down (hint: That means you want no one to call support because of 3rd party applications!).
This is actually a solved problem:
The credit union mplements (purchases from a competent vendor) their own custom branded standards compliant MFA solution.
This is what competent organizations already do.
Because the app is standards compliant, experts use Aegis instead of the branded app. Everyone else sticks with the branded app.
Also because the app is standards compliant, provided by a specialized vendor, and occasionally being used in unusual ways by expert users, serious security mistakes are much less likely to happen, and less likely to only be noticed by attackers.
I don’t expect my credit union to tell me to use Aegis - I expect them to use a credible MFA vendor that interoperates correctly when I do use Aegis.
Counter-counterpoint:
Banks use their app to generate the otp and they reinvented the wheel so if you want to login you need to install it, can’t use a generic authenticator. I am not aware of any single bank in the EU that allows the use of generic authenticators.
For McDonald’s, using the app gives at least 50% off. A menu in the app costs 5 euro while on the store kiosk costs 12 euro. I do not personally care because I find their food to be just barely edible, but I understand why there’s a need to install the app
Some people have no smartphone at all. How can they be customers at your bank?
My bank had a device that was basically a simple android phone running the 2fa app. The phone app got updated through new versions and eventually got the drm treatment, but the old app keeps working because it is still running on those dedicated 2fa “devices”.
Naturally the bank is now trying their best to make people deregister the old “devices” and switch to only the “app”.
The old app has no internet permissions. It reads qr from the camera and shows verification as a 6 digit code.
The new app has internet permissions and is integrated with other apps so you can conveniently accept the request of your banking app in the 2fa app (on the same phone) with a single tap via an overlay. 2fa.
Wow, I admit that’s reaally bad 😅
Also the norm tho, afaik
That is incredibly stupid.
They physically go there in person.
That’s still a thing.
Damn… The two extremes of the cyberpunk dystopia: no tech at all vs tech slavery.
Pay a fee of 0.30€ to receive the otp via SMS every time they want to login without the proprietary otp app and 0.30€ for each payment to authorize
Fucking hell, y’all make me realize how lucky I am with my bank that runs without gapps.