|
|
|
|
|
|
by toastal
2314 days ago
|
|
|
I have two OnlyKeys I backup against the other to handle the lack of ubiquity of FIDO2. So many places are still only using SMS, but as an alternative, have built proprietary, in-app authentication systems that can't be audited. I had a phone break, and I wanted to purchase a new phone online to have it ship when I returned; and I couldn't access my remote work paycheck transfer (in-app), I couldn't log into my bank (SMS + in a different country so not the same SIM), and I couldn't log into the more popular online shopping (SMS). Auth needs to be able to be decoupled from phones. With the OnlyKey, I've stored the important TOTP keys as well like my email as well as password for my password manager. Being as 'dumb' as they are, I've had it go through the wash still working fine. |
|
|
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A...
> Dynamic linking is possible through the generation of authentication codes which is subject to a set of strict security requirements. To remain technologically neutral a specific technology for the implementation of authentication codes should not be required. Therefore authentication codes should be based on solutions such as generating and validating one-time passwords, digital signatures or other cryptographically underpinned validity assertions using keys or cryptographic material stored in the authentication elements, as long as the security requirements are fulfilled.
My bank (Swedbank Latvia) used this regulation as a pretext for removing authentication via passwords + code cards. They didn't do too well on the "technologically neutral" part though – you now have to use proprietary software or hardware to authenticate :-/