#CyberSecurity and #InfoSec people, what speaks against using #TOTP (aka. Google Authenticator & co.) for everything?
It annoys me that every financial institution wants me to install their proprietary app while we already have standards for #2FA. Why can't I approve a transaction with my existing authenticator?
@kaia Is that the reason? If they deem TOTP not secure enough (I do), then they should draft a better standard.
Or at the very least let me use a hardware authenticator. My main bank does that, but another (much younger) does not.
@didek @fell
That's right, it's because of the requirements imposed by European regulation #psd2. There doesn't exist any standard for #2fa allowing for displaying transaction information in a secure way on the authenticator. No, not even #FIDO2 solves this! (It used to, with #WebAuthn 1, but that part of the spec was never implemented by browsers, so abandoned in Webauthn 2.) #bank #infosec @kaia
@didek @fell
Securely displaying transaction information on the authenticator protects against malware: When you are about to transfer money, a man-in-the-browser malware could change the recipient account and amount, but manipulate what you see in your online banking session, so you won't see it. If you approve this transaction with a standard authenticator, you have no chance to detect the attack. #2fa #infosec #FIDO2 #bank
@kaia
