[jolmg]

> What's protecting me when I do online banking in the browser, which I can do using more or less any device?

IDK about your country, but it's also common for banks to require supplying a token from the phone's banking app in order to login via the browser.

[fc417fc802]

Not in the US, at least so far. If that were ever to come to pass I would be in danger of becoming unbanked. I flatly refuse to install third party proprietary software on my phone (I grudgingly accept firmware blobs for lack of a realistic alternative).

Here the majority continue to use SMS based 2FA rather than supporting TOTP or hardware tokens.

Note that TOTP can be handled by any app of the user's choosing, doesn't facilitate attestation or any other user hostile practices, and in practice means that an attack requires physical theft of the device. While the theory might differ, in practice the effective security level is equivalent to other (objectionable) schemes.

[jolmg]

> Note that TOTP can be handled by any app of the user's choosing

The banks are probably using the same standard behind the scenes, but they don't allow alternate TOTP apps. There's no point where they give you a key to set it up in an alternate app.

I suppose part of the point is a lack of trust in users' ability to handle their own security, and the possibility that they may provide such a key to a compromised TOTP app.

> hardware tokens

It'd be excellent if banks moved back to purpose-specific hardware like that. Even better if it were some standard with multiple providers, like FIDO2.

[fc417fc802]

Yes FIDO2 would be ideal. The stuff about TOTP was a digression regarding the relative security levels between the two. The extra hardware doesn't provide any practical benefit (at least IMO) for the typical person running a FOSS authenticator app on a mobile device with an up-to-date OS. Obviously if you're something like a high volume day trader then it might be a different story but the venerable $5 wrench attack still applies so even then it seems pretty questionable to me.

[jolmg]

> The extra hardware doesn't provide any practical benefit (at least IMO) for the typical person running a FOSS authenticator app on a mobile device with an up-to-date OS.

For the user (and in the context of Pinephones), the benefit would lie in getting banks out of their phones. Banks want a device that's not under the control of the user to use as 2FA. A dedicated hardware key would be a compromise for that. They used to give them out, but I pessimistically imagine that today they might prefer to lose a customer.

[AnthonyMouse]

And what does that buy you? The user goes to the bank website in a compromised browser, attacker gets their password. Bank sends a code to their phone, user types the code into the compromised browser, attacker gets the code.