I wonder how that looks like for bank apps? Banks could (and I’m sure they have) offer their own TOTP client, perhaps a bit more integrated. I’m sure that would be easier and offer a better experience than downing some random. "Google Authenticator" app.
The question is whether something standard like TOTP is also offered as an option (regardless of how "dark-patterny" it is to get to the option --- I've seen services that will heavily push their own app, but if you look carefully you'll see TOTP too, often disguised as "Google Authenticator" or something else that doesn't explicitly say TOTP but actually is.)
Authentication has been a solved problem for decades but no bank is going to ask the general public to use their SSH keys.
Nor ask them to put their smartcard in the reader, although many banks will already have given one to their customers...
What frustrates me most is that every bank develops their own shitty-in-their-own-way app for this purpose. There really needs to be an industry standard and then apps like Google Authenticator to exist for this purpose.
I have multiple bank accounts with different banks and upgrading my phone is an absolute nightmare because of apps like this.
Sorry, I should've been more specific/accurate. I meant brokerages, like Fidelity, Etrade, Schwab -- where you're likely to have more funds/$ than a regular consumer bank. They do offer it. Even Amazon offers it.
And you are right, I have not seen any of the banks I use convert to authenticator (BofA, Chase, etc).
I can only guess that they think it's too difficult for the average consumer to understand or implement. But the fact that they don't even offer as an option is unfortunate.
Also the banks already just plain restrict access on the web, unconditionally, by making a smartphone app a mandatory auth / confirmation factor. And the app itself, of course, makes full use of Google's attestation APIs like you describe.
Already my two main banks, although having website, require me to authenticate via their app. I guess it's kind of understandable with real stealable money involved.
Great going, google! Banks have been using those RSA dongle thingies for a long time. Now with mobile phones that isolate one app from another, who needs em! And you get OTP codes just in case. Nice.
Thankfully that hasn't rolled out everywhere yet, and most banking apps I've used rely on less sophisticated methods of tamper detection (like RootBeer).
Hopefully Orange Man's little trade war slows down adoption by devs somewhat, but once that fizzles out, we might have to start looking at a regulatory angle. I don't like that idea, but what other choice do we have? Google clearly doesn't listen to their customers (or rather, we aren't their customers) and good luck even getting in touch with a bank's dev team, let alone convince them to do something that, to their uneducated higher-ups at least, looks like a security downgrade.
The biggest bank in Slovenia also requires an app, but I wrote a webapp that implements the reverse engineered protocol the bank uses in the mobile app (the protocol is basically a TOTP implementation brought from a private company).
The issue with TOTP here is it can only provide a 6-digit code, whereas an app can show for example "Do you want to authorise $6.21 at McDonalds?" before sending a transaction through. Grudgingly, I will accept that for most of the customer base this is probably the correct solution.
If there is a move in this area, I predict it will come from something like EU regulations on interoperability (we already have rules on Open Banking to some extent) - something to bear in mind next time the EU's approach to regulation is criticised as "anti-tech".
> i can't log in to any of my banks without my phone
Glad it's not only my problem. Force banks to support TOTP. They will not do it voluntarily, they have too many "experts" selling dedicated app to the managements because "securitay".
Ah, no, these can connect to a PC over USB and to a smart phone over USB or NFC to generate a 6 digit TOTP code, just like Google Authenticator does.
They can also do more sophisticated things, but that's not what I was referring to here. Those sophisticated and more secure things are supported by Google, Facebook, Dropbox, Github, etc, but not by most banks. Banks are so slow with this stuff and still do SMS-based 2FA which is absurd to me.
Yup. That's every app's problem though. I can also create a webpage and design a fake "bank login" inside of it to make you enter your credentials there. There is nothing you can do about that other than educating the user.
I (and I imagine a number of other people) would definitely pay for a high quality app like Simple as a layer on top of an old bank. Too many of these neobanks are missing something I need (Zelle, or they charge weird fees, or the debit card has a foreign ATM fee, or they have problems with checks etc)
Banks absolutely do this once they have the ability to talk to the OS. I've built 3 banking apps for iphone/ipad now and client side verification was involved in all of them after first login.
The problem is browsers just don't have a good standard way of accomplishing this.
reply