[fph]

In the EU these hardware keyfobs are now forbidden for banking because they are considered less secure than app-based 2FA. The reason is that an app-based confirmation gives you the opportunity to review the transaction you are confirming; they can display "Are you sure you want to send 19.99 € to website.com with payment description 'subscription'?".

[AndyMcConachie]

This is false.

I use a hardware thingy that I put my Dutch bank card into that generates numbers for logins and purchases. I have the option of using an app or the hardware card reader.

I use a one time generating password hardware keyfob to login to the Dutch Belastingdienst. They require it and I don't think there is an app I can use for this purpose.

[fph]

If it requires a smartcard I assume this is a different protocol, CAP. The introduction to this paper https://www.researchgate.net/publication/355241124_PSD2_Comp... (not mine) explains the system a little: the old hardware tokens in fig. 1 and 2 are those that cannot be used anymore; I assume you have something like the device in fig. 4?

[kseistrup]

I agree.

Danish banks, because they use the national MitID authorisation, accept MFA via app, code generator, or a chip device:

https://www.mitid.dk/en-gb/get-started-with-mitid/mitid-auth...

[brnt]

All Dutch Banks are moving customers to their apps now.

[eythian]

There's a DigID app that I use for the Belastingdienst (and all other overheid things), I don't have a OTP keyfob at all.

[rightbyte]

You could have a keyfob to identify and app to confirm.

[Terr_]

> In the EU these hardware keyfobs are now forbidden for banking [...] an app-based confirmation gives you the opportunity to review the transaction you are confirming;

I'm confused, that seems like it confuses two independent aspects:

1. Whether the TOTP code comes from a fob-device versus a phone-device.

2. Whether some interactive interface you're using gives you a chance to see/confirm what you're about to authorize or not.

A phone app can lie to you about the transaction you're about to authorize regardless of whether the TOTP code was transcribed from an external device, transcribed from another app on the same phone, or auto-filled by itself.

[fph]

This assumes that the banking app receives push data about the transaction by the bank, and simply has an "approve" button A simple 2FA app like Authy/Aegis that produces a number has the same problems as the keyfob.

The threat model is: malicious actor posing as the bank website, but legitimate keyfob or legitimate app. With the keyfob, the website intercepts a valid password and a valid 2FA code; with the app, nothing happens because it doesn't receive push data from the true bank.

I hope it is more clear now!

[Terr_]

> with the app, nothing happens because it doesn't receive push data from the true bank.

I don't see how that feature matters to a man in the middle attack during logon, since:

1. User opens web browser at a phishing site, which is masquerading as their bank, and starts the login process.

2. Phishing site interacts with bank.

3. Bank sends push-notification to the phone# that's on-file for that user: "Hey, that you logging in right now? Press the Yes button if so."

4. User sees it, expects it, presses the button, and then proceeds to hand over their TOTP and password to the phishing site anyway.

I suppose it might help on a per-transaction basis if the phishing site tries to trigger a hidden transaction, but at that point the app is just a way to streamline: "We sent you a code by SMS, enter that code to confirm the transaction."

[fph]

The point is that the app displays data on the transaction. If the phishing site tries to trigger a hidden transaction (or modify one that you are entering), you can review amount, recipient, and description _on the app_.