My bank has its own authenticator app, which doesn’t work on my phone. Piece of crap. They now enabled fingerprint login without additional 2FA somehow, and I can also authorise payments with biometrics. Only to change my limits, update address etc. I have to use the app (on an old Pixel 3a as a standby device just for this purpose).
Comment on MFA
possiblylinux127@lemmy.zip 7 months agoMy bank requires SMS mfa
viking@infosec.pub 7 months ago
possiblylinux127@lemmy.zip 7 months ago
I would change banks. Stuff like this is a reminder why letting government run such services is a bad idea. (I’m sure your bank isn’t state owned but still)
viking@infosec.pub 7 months ago
I can’t, live abroad and no bank I contacted would open accounts for non-residents.
I have other accounts where I live, but all my investments and major holdings are sent back home.
possiblylinux127@lemmy.zip 7 months ago
Oh, well that’s a tough situation.
KairuByte@lemmy.dbzer0.com 7 months ago
Why?
Totp is easier, cheaper, and more secure. It makes no sense to go with SMS.
possiblylinux127@lemmy.zip 7 months ago
For one that requires more training and support. However I think the biggest reason is that it is predictable
KairuByte@lemmy.dbzer0.com 7 months ago
Poorly secured keys usually still require device access, unless they are secured so poorly that the individual would be compromised in one of many other ways regardless.
Stealing a phone number requires, at most, paying off an employee at a telco company. At best it just requires a call and some social engineering. And don’t forget, people who leave their phone laying around without a passcode exist.
Now, neither of these are really options for a dragnet approach, they’d need to be targeted. But the fact that one can be done fully remote should be a red flag.