Hacker News new | ask | show | jobs
by buzer 253 days ago
Unfortunately the EU regulation makes the truly user controlled 2FA methods essentially non-compliant.

https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...

> Article 7 Requirements of the elements categorised as possession

> 1. Payment service providers shall adopt measures to mitigate the risk that the elements of strong customer authentication categorised as possession are used by unauthorised parties.

> 2. The use by the payer of those elements shall be subject to measures designed to prevent replication of the elements.
1 comments
jojobas 253 days ago
This says something along the lines of "it should be hard to extract the TOTP secret".

However if you can get so far as to get the secret from the TOTP app, you can as well back up the entire phone and restore elsewhere, can't you?

link
nh2 253 days ago
No, because phones that lock keys in hardware effectively prevent that, and that works only with hardware that prevents its owners from having full control an doing what they want with their hardware.

"Unextractable keys" works with hardware that you don't "truly own".

link
gradeless 253 days ago
What if you truly want the security properties provided by a device which can keep keys in a way where you fully control their use but its extremely hard for anyone to extract them?
link
XorNot 252 days ago
I mean case in point, this is exactly what a Yubikey does for people.
link