|
|
|
|
|
|
by iggldiggl
566 days ago
|
|
|
> but I don't get why they aren't using plain TOTP, so you can use any authenticator app you'd like Compared to the non-app solutions I'm familiar with in Germany, TOTP lacks at least two things: 1. There are no guarantees as to what happens to the shared secret (whereas at least some of these alternative solutions use your debit card as a smartcard to securely store the secret). From an individual point of view I guess that's perhaps a welcome trade-off (no backup solution except for manually registering a second key everywhere is part of the reason I'm not keen on Yubikeys and the like for replacing all my logins), but banks might have differing opinions. 2. Perhaps more importantly, you can't really authenticate the individual transaction, because the TOTP is only based on the (fixed) shared secret and the current time. The TAN generator solutions I'm familiar with on the other hand also include the destination account and sum of money to be transferred in the TAN calculation (and those get displayed for confirmation on the TAN generator's display), so a malicious website impersonating your bank's online banking can't forge those things. |
|
|
> also include the destination account and sum of money to be transferred in the TAN calculation
Which banks have it implemented? You are giving them too much credit. In most cases their 2FA is simply code consisting of digits or tapping multiple "confirm" without any context inside of their losy apps. In my personal anecdotal experience only SMS 2FA contain some additional information what exactly are you confirming.