this post was submitted on 19 Jul 2023
6 points (100.0% liked)

AusFinance

993 readers
1 users here now

founded 1 year ago
MODERATORS
 

Do you happen to know banks that meet these criteria?

  • Telephone banking (of some fashion) provided
  • TOTP for 2FA is a) available and b) its use is not contingent on the use of an app; 2FA seeds are freely exportable by the user via web login
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

That's definitely an interesting case for using their own app for MFA, but it doesn't explain why you would use a specific restrictive third-party MFA app like Symantec VIP. This is truly the worst of all worlds.

edit: worst of all app-based MFA worlds, anyway. Obviously better than using SMS second-factor, and way better than not having MFA at all...

[–] [email protected] 1 points 1 year ago (1 children)

Some vendors would allow you to skin their SDK to essentially have your own version of their app published, but that is a lot of work and has its own security risks.

There isn't really a BYO app that gives you the functionality a vendor app can give.

Good MFA is harder than people think.

[–] [email protected] 1 points 1 year ago

Sure, but I'm not talking abuot whitelabelling. I'm talking about my bank telling me "go to the Play Store and download Symantec VIP". An app that just does TOTP, but in a way that doesn't enable you to use your own preferred TOTP app instead (without some rather difficult hacks).

Like I said, if they were using an app that provided more functionality than TOTP, I wouldn't mind too much. If they were using an app that allowed them to put in their own branding, I'd be annoyed but at least "get it". What I'm getting here is the worst of both worlds.

Good MFA is harder than people think.

Believe me, I know. At my former workplace, I was one of the leading engineers on a project to make our product support MFA. The business folks wanted it built into our existing app (for marketing reasons) and wanted push notifications, not TOTP. Three times we were working on that project, had given estimates for time to finish and had even made some substantial progress in implementing it, when business priorities shifted and the work got scrapped in favour of something unrelated, eventually coming back to it with a scope that was just different enough that most of the work already done couldn't be reused. I've spent a lot of time looking at MFA from a software engineer's perspective.