[mormegil]

#2 and partially #1 are solved by regulation and reputation: banks are highly regulated business, and BankID support requires specific security audit.

Ad #3: FIDO is basically unusable for banking. It's designed for user authentication, not transaction signatures which banks need (and must do because of the PSD2 regulation).

[tialaramex]

If banks were actually onboard with this stuff, I'm pretty sure you can either make this happen in FIDO2 anyway, or you could add a FIDO extension that does it and get big vendors like Yubico to support that extension. Notice that off-line authenticating a Windows 10 PC relies on hmac-secret in FIDO, which is not a core FIDO feature, but it got ratified because there's a use for it, and a Yubikey can do hmac-secret.

But I do not see any such engagement from banks.

Transaction signatures are good if well implemented, but I'm not seeing a lot of good implementations. To be effective the user needs to understand what's going on so that they're appropriately suspicious when approached by crooks.

e.g. if I just know I had to enter 58430012 to send my niece $12, I don't end up learning why and when crooks persuade me to enter 58436500 I won't spot that this is actually authorising a $6500 transfer and I should be alarmed.

[mormegil]

I think the FIDO Alliance is already discussing solutions to these use cases. (And also this is a bit circular reasoning, isn’t it? “Why don’t you use the XYZ standard? Because it does not support our use case. So why don’t you cooperate on adding support to the standard? Why? So that you can use the XYZ standard!”) Also, I think there already are extensions supporting some basic forms of this, however, they are not supported very well.

But I’m afraid the basic prerequisite of secure transaction signing (“what you see is what you sign”) cannot be fulfilled on a generic “FIDO2 authenticator” – you need the authenticator to have a display. Sure, Windows Hello / Android FIDO / … might support this, but your common hardware Yubikey cannot.

I don’t know to which authentication method used by which bank in which country you refer in your “58430012” example, but this is definitely nothing which could be used as a method of transaction signatures in banks here, and it does not fulfill the requirements of the PSD2 regulation.

[tialaramex]

Which requirement of PSD2 do you think is so stringent?

I have three bank accounts here:

One of them (my good bank) has a chiclet keypad physical authenticator which needs these manual codes entering to get a value back that proves I used the authenticator.

The large European bank that handles my salary and so on, relies on SMS entirely, I ask to perform a transaction, they send an SMS with a code, I type it into a box on the web site. The SMS is trying to tell me what that transaction is, and has improved (it used to say things like GBP20000 which, yes everybody on Hacker News knows what that means but I bet my grandmother wouldn't, today it says £20 000 which is easier to understand) but notice that the code you get isn't related to the transaction details, it's just an arbitrary code. So I needn't understand the transaction to copy-paste the code.

The third bank is owned by the British government and so is inherently safe with unlimited funds unlike a commercial bank (they can and do print money to fund withdrawals, they're the government) but they too use SMS and their SMS messages are... not good. Of course unlike a commercial bank if they get fined for not obeying security rules that's the government fining the government, who cares?

FIDO would be obviously better than the latter two, and I don't see any reason that (with some effort) it couldn't improve on the first one as well.

[mormegil]

Oh, I misunderstood. You enter the mentioned code into an authentication calculator which emits the signature code which is then used. Yeah, that probably fulfills the PSD2 requirements, though I agree it's not exactly good UX and very secure for common users. That (well, and mostly the cost) is the reason everyone goes to mobile authentication apps nowadays.

SMS authentication is... well by one reading of PSD2, it's not acceptable. But in real world, it is basically necessary, and not _that_ insecure (if you ignore SIM swapping attacks etc.). The WYSIWYS aspect comes not from the code but from the message text, which is crucial (and per PSD2, should include at least the amount and... receiver? I forgot). But sure, if people don't read or understand the message, it's not ideal...

While FIDO provides better phishing resistance (than SMS, not necessarily than authentication apps), it doesn't protect against transaction modification (e.g. man in the browser) and for people who care about and understand security, it is strictly worse.

[tialaramex]

> (than SMS, not necessarily than authentication apps)

Very dubious. The trick to phishing is that humans are easily confused about what's going on, and WebAuthn recruits the browser to fix that completely. Your browser isn't confused, the browser knows it is talking to fakebank.example because that's the DNS name which is its business, even if this looks exactly like the Real Bank web site, perfect to the pixel and even fakes the browser chrome to have a URL bar that says realbank.example as you expected.

I don't see bank authentication apps helping here. It's very easy to accidentally reassure the poor humans everything is fine when they're being robbed, because the authentication part seemed to work.

I'm somebody who really cares about and would like to think they understand security very much, and I don't think it's strictly worse at all.

One of the things banks have an ongoing problem with is insider facilitated crime. Which means secrets are a big problem, because the bank (and thus, crooked staff working for the bank) know those secrets. Most of these PSD2 "compliant" solutions rely on secrets, and so are vulnerable to bank insiders. FIDO avoids that because it doesn't rely on secrets†.

† Technically a typical Security Key has a "secret" key [typically 256-bit AES] baked inside it, but a better word would be symmetric rather than secret, there is no other copy of that symmetric key, so it isn't functionally secret.

[zajio1am]

> While FIDO provides better phishing resistance (than SMS, not necessarily than authentication apps), it doesn't protect against transaction modification (e.g. man in the browser) and for people who care about and understand security, it is strictly worse.

'man in the browser' seems like a situation where the user's device is compromised. In that case it is not big stretch that not only browser could be compromised, but also SMS reading app is compromised.

I.e., the reasonable security request should not be security against 'man in the browser', but security against 'user device is compromised'. In that case SMS is worse, as attacker could completely bypass it, while for FIDO it still need to phish the user to press the button.