GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE

  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

Conversation

Notices

  1. Embed this notice
    Fell (fell@ma.fellr.net)'s status on Thursday, 08-Aug-2024 16:08:26 JST Fell Fell

    #CyberSecurity and #InfoSec people, what speaks against using TOTP for everything?

    It annoys me that every financial institution wants me to install their proprietary app while we already have standards for #2FA. Why can't I approve a transaction with my existing authenticator?

    In conversation about 10 months ago from ma.fellr.net permalink
    • Embed this notice
      kaia (kaia@brotka.st)'s status on Thursday, 08-Aug-2024 16:08:25 JST kaia kaia
      in reply to
      @fell I asked my bank and they told me they cannot do TOTP because it was not a legal 2FA in banking?
      In conversation about 10 months ago permalink
    • Embed this notice
      Fell (fell@ma.fellr.net)'s status on Thursday, 08-Aug-2024 16:13:50 JST Fell Fell
      in reply to
      • kaia

      @kaia Is that the reason? If they deem TOTP not secure enough (I do), then they should draft a better standard.

      Or at the very least let me use a hardware authenticator. My main bank does that, but another (much younger) does not.

      In conversation about 10 months ago permalink
      kaia likes this.
    • Embed this notice
      Didek (didek@101010.pl)'s status on Thursday, 08-Aug-2024 16:42:21 JST Didek Didek
      in reply to
      • kaia

      @fell @kaia

      In EU with PSD2, two factor auth from the bank needs to also show you what action you are approving.

      In conversation about 10 months ago permalink
      kaia likes this.
    • Embed this notice
      Fell (fell@ma.fellr.net)'s status on Thursday, 08-Aug-2024 17:54:28 JST Fell Fell
      in reply to
      • kaia
      • Didek
      • Caroline

      @Caroline @didek @kaia That's actually a valid point. I hope a good standard for this will emerge eventually.

      In conversation about 10 months ago permalink
      kaia likes this.
    • Embed this notice
      Caroline (caroline@hessen.social)'s status on Thursday, 08-Aug-2024 17:54:35 JST Caroline Caroline
      in reply to
      • kaia
      • Didek

      @didek @fell
      That's right, it's because of the requirements imposed by European regulation #psd2. There doesn't exist any standard for #2fa allowing for displaying transaction information in a secure way on the authenticator. No, not even #FIDO2 solves this! (It used to, with #WebAuthn 1, but that part of the spec was never implemented by browsers, so abandoned in Webauthn 2.) #bank #infosec @kaia

      In conversation about 10 months ago permalink
      kaia likes this.
    • Embed this notice
      Caroline (caroline@hessen.social)'s status on Thursday, 08-Aug-2024 17:54:35 JST Caroline Caroline
      in reply to
      • kaia
      • Didek

      @didek @fell
      Securely displaying transaction information on the authenticator protects against malware: When you are about to transfer money, a man-in-the-browser malware could change the recipient account and amount, but manipulate what you see in your online banking session, so you won't see it. If you approve this transaction with a standard authenticator, you have no chance to detect the attack. #2fa #infosec #FIDO2 #bank
      @kaia

      In conversation about 10 months ago permalink

Feeds

  • Activity Streams
  • RSS 2.0
  • Atom
  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.