[btown]

Is it still vulnerable to a MITM attack though, e.g. https://krebsonsecurity.com/2020/04/when-in-doubt-hang-up-lo... ?

Attacker wants Victim's code. Attacker calls the Bank impersonating Victim, and also calls Victim impersonating the Bank. Bank tells Attacker the code check, Attacker tells Victim the code check, Victim sees the match and enters their PIN into the Smart-ID app, and Attacker's phone session with Bank is now fully authenticated and has no more need for Victim.

[flixic]

I never thought about this, but yes, I think it can be MITM'ed exactly as you described. Same attack can probably be performed on the web, where Smart ID is also a sign in method.

[xorcist]

I have worked with something similar and this type of phishing is not only possible but much too common.

WebAuthn is really what is good enough. Luckily it's well supported on all important platforms so there's really no excuse using anything worse.

[im3w1l]

I like how the ones in my country work, when you want to send money you have to sign the transfer with the 2fa app, and the 2fa app itself will display how much money you are transferring, preventing an mitm from displaying one amount but actually sending another. However the recipient is not displayed. So a mitm could modify a legitimate transfer to have another recipient, stealing the $100 destined for your utility bill. But at least that is not a catastrophic loss.

[flixic]

For transfers, Smart ID displays both recipient and amount. So that part can’t be easily MITM’d.