And god do I hate every second of it. My bank is the worst offender, because they allow me to log in, look at my balances and everything. It is until I decide to transfer funds from savings to checking, do they suddenly decide "WAIT! VERIFY YOUR IDENTITY!". All the while that I'm logged in!
Trying to call customer support to a car dealership to discuss changing dates on your lease? Welp, be prepared to know your child's name, your state, your blood sample and all other shit just to reach an agent so you can ask one simple question.
Google sucks balls for this too, obviously. Can't just simply sign in anymore, nope, gotta go find your phone and tell that, that it's you trying to log in and then you can go in.
Not to mention the amount of fucking codes we have to enter along the way. This shit piles up, people. We waste minutes to hours, collectively, on doing this shit.
hedgehog@ttrpg.network 4 months ago
It sounds like your bank is doing MFA (multi-factor authentication) correctly, and that’s a good thing, because it sure would be obnoxious to have to verify all that information just to view your balances, and it’s a higher risk activity to allow someone to transfer funds than to view your balances.
If the dealership didn’t verify your identity and someone else made changes to your lease, would you have a problem with that?
You don’t have to use an authenticator on your phone. You can use a password manager like Bitwarden (their $10/year premium plan, or their $40/year family plan) that supports saving TOTP and auto-filling them from a browser extension (click to copy or you can have it automatically copied to the clipboard after you auto-fill the password). It also supports passkeys and you can avoid getting locked into a single ecosystem that way.
brossman@infosec.pub 4 months ago
adding on to this, the bank isn’t doing just mfa, it’s likely also doing risk-based authentication. logging in and viewing funds isn’t that risky, but moving money around is much riskier, even in the same account. so you have to provide stronger evidence that it’s you requesting the action.