Fell
#CyberSecurity and #InfoSec people, what speaks against using TOTP for everything?
It annoys me that every financial institution wants me to install their proprietary app while we already have standards for #2FA. Why can't I approve a transaction with my existing authenticator?
kaia
Fell
@kaia Is that the reason? If they deem TOTP not secure enough (I do), then they should draft a better standard.
Or at the very least let me use a hardware authenticator. My main bank does that, but another (much younger) does not.
Didek
In EU with PSD2, two factor auth from the bank needs to also show you what action you are approving.
Fell
@Caroline @didek @kaia That's actually a valid point. I hope a good standard for this will emerge eventually.
Caroline
@didek @fell
That's right, it's because of the requirements imposed by European regulation #psd2. There doesn't exist any standard for #2fa allowing for displaying transaction information in a secure way on the authenticator. No, not even #FIDO2 solves this! (It used to, with #WebAuthn 1, but that part of the spec was never implemented by browsers, so abandoned in Webauthn 2.) #bank #infosec @kaia
Caroline
@didek @fell
Securely displaying transaction information on the authenticator protects against malware: When you are about to transfer money, a man-in-the-browser malware could change the recipient account and amount, but manipulate what you see in your online banking session, so you won't see it. If you approve this transaction with a standard authenticator, you have no chance to detect the attack. #2fa #infosec #FIDO2 #bank
@kaia
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.