Conversation

Notices

1. Embed this notice
   minute (mntmn@mastodon.social)'s status on Tuesday, 27-Feb-2024 02:10:39 JST minute

   i think the EU should pass legislation that enforces standards based 2factor auth (like totp/hotp) for banks, health insurance etc. it is absolutely unacceptable that people are _forced_ to buy android/ios smartphones to use critical services

   • Embed this notice
     Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Tuesday, 27-Feb-2024 02:13:17 JST Haelwenn /элвэн/ :triskell:

     in reply to

     • Breizh
     @breizh @mntmn Meanwhile there's devices for this that banks are already issuing en masse and are standard: credit/debit cards.
   • Embed this notice
     Breizh (breizh@pleroma.breizh.pm)'s status on Tuesday, 27-Feb-2024 02:13:19 JST Breizh

     in reply to
     @mntmn Well, the EU is actually enforcing the banks to *not* use TOTP/HOTP because it’s not secure enough (it's not contextual).
     Haelwenn /элвэн/ :triskell: repeated this.
   • Embed this notice
     Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Tuesday, 27-Feb-2024 03:04:39 JST Haelwenn /элвэн/ :triskell:

     in reply to

     • Breizh
     • Eldeberen ⏚
     @Eldeberen @mntmn @breizh Ah, that kind of "contextual" (damn meaningless terms).
     
     By the way, company's name is pretty much bullshit as demonstrated many times over with: Company names not being unique (see issues with EV certificates), porn sites using ~shell companies, payment processors (Stripe, Paypal, …) being the ones shown when the business isn't doing it by itself, …
     
     And the amount also is because by design you can charge a card again so subscriptions work.
   • Embed this notice
     Eldeberen ⏚ (eldeberen@social.middleearth.fr)'s status on Tuesday, 27-Feb-2024 03:04:40 JST Eldeberen ⏚

     in reply to

     • Haelwenn /элвэн/ :triskell:
     • Breizh
     @lanodan There are a lot of contradictions with banks, but we can't blame them for following the actual regulations…
     
     Moreover credit cards neither are contextual: the regulation says that the MFA device must display the information about the transaction you are validating, such as the amount or company's name. Good luck with your credit card though ^^'
     
     @mntmn @breizh
   • Embed this notice
     chebra (chebra@mstdn.io)'s status on Tuesday, 27-Feb-2024 03:28:34 JST chebra

     in reply to

     • Breizh

     @breizh @mntmn

     true, but there is a nuance https://lists.fsfe.org/pipermail/discussion/2024-February/013383.html

   • Embed this notice
     Eldeberen ⏚ (eldeberen@social.middleearth.fr)'s status on Tuesday, 27-Feb-2024 05:20:48 JST Eldeberen ⏚

     in reply to

     • Haelwenn /элвэн/ :triskell:
     • Breizh

     @lanodan TBH I would be quite satisfied with some FIDO2 authentication…

     Moreover because the strong authentication for online payments is still up to the vendor website, so completely useless when you see that even for banks it's not enabled (coucou La Poste).

     Any scammer can order anything from almost anywhere x)

     @mntmn @breizh

     Haelwenn /элвэн/ :triskell: likes this.