Do you happen to know banks that meet these criteria?

  • Telephone banking (of some fashion) provided
  • TOTP for 2FA is a) available and b) its use is not contingent on the use of an app; 2FA seeds are freely exportable by the user via web login
  • root@aussie.zone
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    1 year ago

    I know that Macquarie bank uses TOTP for authorizing transactions. However, they only support TOTP via their own app and you can’t use your own (eg Aegis, Authy or Google Authenticator). I don’t know if they have telephone banking as I never need that service.

    You say that “its use is not contingent on the use of an app; 2FA seeds are freely exportable by the user via web login”. Care to elaborate on that? I’m not sure I’m understanding correctly what you’re trying to say.

    • ode@discuss.tchncs.deOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      You got it actually. I want the 2FA seed exportable so I can use my own app for 2FA login. Transaction authorisation I’m agnostic on (TOTP or SMS code).

      Forcing reliance on an in-house app is user-hostile.

      • root@aussie.zone
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Yeah. I don’t understand the point of wasting resources to create and maintain separate app rather using an open standard and let users choose their fav 2fa app.

        • ode@discuss.tchncs.deOP
          link
          fedilink
          English
          arrow-up
          2
          ·
          1 year ago

          Corporations value staying with the herd, so apps are a done-deal regardless of need or suitability to the service offering. And private commerce tends to view apps primarily as advertising real estate. Hence why I want a bank with the sense to respect customer hardware.

        • Zagorath@aussie.zone
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Even weirder to me is what my bank does, which is use a third-party app (Symantec VIP) that is based on standard TOTP but wraps it in their own proprietary layer to prevent importing it into other apps. The bank gains absolutely nothing from this, and neither does the customer. If they wanna use a proprietary app with extra functionality like how Microsoft’s 2FA app does push notifications, I get that. If they want to push their own app for branding purposes, I hate that, but I get it. But why force me into a different company’s app that adds no value to the experience?

          • RealVenom@aussie.zone
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            Getting the user to use their app is pretty important. You may only be using TOTP now, but it allows for more intelligent multi factor authentication later on.

            E.g. the app could check your risk profile, like where you’re accessing from and if any impossible travel took place. They may add multi step auth like push notifications or biometrics.

            By letting customers use Google authenticator you are limiting MFA to only TOTP. MFA isn’t just an on and off switch anymore.

            • Zagorath@aussie.zone
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              1 year ago

              That’s definitely an interesting case for using their own app for MFA, but it doesn’t explain why you would use a specific restrictive third-party MFA app like Symantec VIP. This is truly the worst of all worlds.

              edit: worst of all app-based MFA worlds, anyway. Obviously better than using SMS second-factor, and way better than not having MFA at all…

              • RealVenom@aussie.zone
                link
                fedilink
                English
                arrow-up
                1
                ·
                1 year ago

                Some vendors would allow you to skin their SDK to essentially have your own version of their app published, but that is a lot of work and has its own security risks.

                There isn’t really a BYO app that gives you the functionality a vendor app can give.

                Good MFA is harder than people think.

                • Zagorath@aussie.zone
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  1 year ago

                  Sure, but I’m not talking abuot whitelabelling. I’m talking about my bank telling me “go to the Play Store and download Symantec VIP”. An app that just does TOTP, but in a way that doesn’t enable you to use your own preferred TOTP app instead (without some rather difficult hacks).

                  Like I said, if they were using an app that provided more functionality than TOTP, I wouldn’t mind too much. If they were using an app that allowed them to put in their own branding, I’d be annoyed but at least “get it”. What I’m getting here is the worst of both worlds.

                  Good MFA is harder than people think.

                  Believe me, I know. At my former workplace, I was one of the leading engineers on a project to make our product support MFA. The business folks wanted it built into our existing app (for marketing reasons) and wanted push notifications, not TOTP. Three times we were working on that project, had given estimates for time to finish and had even made some substantial progress in implementing it, when business priorities shifted and the work got scrapped in favour of something unrelated, eventually coming back to it with a scope that was just different enough that most of the work already done couldn’t be reused. I’ve spent a lot of time looking at MFA from a software engineer’s perspective.

            • ode@discuss.tchncs.deOP
              link
              fedilink
              English
              arrow-up
              1
              ·
              edit-2
              1 year ago

              Intelligent is a euphemism for invasive.

              Consumers People who earn a living must have real choice in authentication options. It’s unacceptable to freeze out particular standards because an internal marketing projection suggests the bank will make a few dollars doing so. If I only want to employ login+passphrase+TOTP, that’s my prerogative.

              • RealVenom@aussie.zone
                link
                fedilink
                English
                arrow-up
                1
                ·
                1 year ago

                Is it though? No offence but the vast majority of “people” do not know authentication well enough to be given their choice of login method.

                And when we entrust non-security vendors to implement their own authentication, you get situations like ServiceNSW encrypting and storing credentials with a 4 digit pin.

                If a bank wants to use a security vendor to strengthen their authentication, that’s better than the alternative, I’d prefer that to what I have experienced with one of the big 4 where they still use SMS.