GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE

  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

Conversation

Notices

  1. Embed this notice
    Felix Urbasik (fell@ma.fellr.net)'s status on Thursday, 08-Aug-2024 16:08:26 JST Felix Urbasik Felix Urbasik

    #CyberSecurity and #InfoSec people, what speaks against using TOTP for everything?

    It annoys me that every financial institution wants me to install their proprietary app while we already have standards for #2FA. Why can't I approve a transaction with my existing authenticator?

    In conversation about 4 months ago from ma.fellr.net permalink
    • Embed this notice
      kaia (kaia@brotka.st)'s status on Thursday, 08-Aug-2024 16:08:25 JST kaia kaia
      in reply to
      @fell I asked my bank and they told me they cannot do TOTP because it was not a legal 2FA in banking?
      In conversation about 4 months ago permalink
    • Embed this notice
      Felix Urbasik (fell@ma.fellr.net)'s status on Thursday, 08-Aug-2024 16:13:50 JST Felix Urbasik Felix Urbasik
      in reply to
      • kaia

      @kaia Is that the reason? If they deem TOTP not secure enough (I do), then they should draft a better standard.

      Or at the very least let me use a hardware authenticator. My main bank does that, but another (much younger) does not.

      In conversation about 4 months ago permalink
      kaia likes this.
    • Embed this notice
      Dawid Rejowski (didek@101010.pl)'s status on Thursday, 08-Aug-2024 16:42:21 JST Dawid Rejowski Dawid Rejowski
      in reply to
      • kaia

      @fell @kaia

      In EU with PSD2, two factor auth from the bank needs to also show you what action you are approving.

      In conversation about 4 months ago permalink
      kaia likes this.
    • Embed this notice
      Felix Urbasik (fell@ma.fellr.net)'s status on Thursday, 08-Aug-2024 17:54:28 JST Felix Urbasik Felix Urbasik
      in reply to
      • kaia
      • Dawid Rejowski
      • Caroline

      @Caroline @didek @kaia That's actually a valid point. I hope a good standard for this will emerge eventually.

      In conversation about 4 months ago permalink
      kaia likes this.
    • Embed this notice
      Caroline (caroline@hessen.social)'s status on Thursday, 08-Aug-2024 17:54:35 JST Caroline Caroline
      in reply to
      • kaia
      • Dawid Rejowski

      @didek @fell
      That's right, it's because of the requirements imposed by European regulation #psd2. There doesn't exist any standard for #2fa allowing for displaying transaction information in a secure way on the authenticator. No, not even #FIDO2 solves this! (It used to, with #WebAuthn 1, but that part of the spec was never implemented by browsers, so abandoned in Webauthn 2.) #bank #infosec @kaia

      In conversation about 4 months ago permalink
      kaia likes this.
    • Embed this notice
      Caroline (caroline@hessen.social)'s status on Thursday, 08-Aug-2024 17:54:35 JST Caroline Caroline
      in reply to
      • kaia
      • Dawid Rejowski

      @didek @fell
      Securely displaying transaction information on the authenticator protects against malware: When you are about to transfer money, a man-in-the-browser malware could change the recipient account and amount, but manipulate what you see in your online banking session, so you won't see it. If you approve this transaction with a standard authenticator, you have no chance to detect the attack. #2fa #infosec #FIDO2 #bank
      @kaia

      In conversation about 4 months ago permalink

Feeds

  • Activity Streams
  • RSS 2.0
  • Atom
  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.