zlacker

>>EthanH+(OP)
Here in Norway we have BankID which uses MFA. To access any government, banking, or official system you have to authenticate with your BankID.

Its simple amazing.

>>adream+NC
Here in Czechia we have BankID and it is problematic:

1) No verification that the user trusts that particular bank to perform this service. Most banks just deployed BankID for all their customers.

2) No verification between bank and government ensuring that particular person can be represented by particular bank. In principle a bank could inpersonate a person even if that person have no legal relation with that bank.

3) Bank authentication is generally bad. Either login+SMS, or proprietary smartphone applications. No FIDO U2F or any token based systems.

Fortunately, there are also alternatives for identification to government services:

1) Government ID card with smartcard chip. But not everyone has a new version of ID card (old version does not have chip). It also requires separate hardware (smartcard reader) and some software middleware.

2) MojeID service (mojeid.cz) that uses FIDO U2F token.

Disclaimer: working for CZ.NIC org that also offers MojeID service.

>>zajio1+RT
#2 and partially #1 are solved by regulation and reputation: banks are highly regulated business, and BankID support requires specific security audit.

Ad #3: FIDO is basically unusable for banking. It's designed for user authentication, not transaction signatures which banks need (and must do because of the PSD2 regulation).

>>mormeg+Zz1
If banks were actually onboard with this stuff, I'm pretty sure you can either make this happen in FIDO2 anyway, or you could add a FIDO extension that does it and get big vendors like Yubico to support that extension. Notice that off-line authenticating a Windows 10 PC relies on hmac-secret in FIDO, which is not a core FIDO feature, but it got ratified because there's a use for it, and a Yubikey can do hmac-secret.

But I do not see any such engagement from banks.

Transaction signatures are good if well implemented, but I'm not seeing a lot of good implementations. To be effective the user needs to understand what's going on so that they're appropriately suspicious when approached by crooks.

e.g. if I just know I had to enter 58430012 to send my niece $12, I don't end up learning why and when crooks persuade me to enter 58436500 I won't spot that this is actually authorising a $6500 transfer and I should be alarmed.

>>tialar+t92
I think the FIDO Alliance is already discussing solutions to these use cases. (And also this is a bit circular reasoning, isn’t it? “Why don’t you use the XYZ standard? Because it does not support our use case. So why don’t you cooperate on adding support to the standard? Why? So that you can use the XYZ standard!”) Also, I think there already are extensions supporting some basic forms of this, however, they are not supported very well.

But I’m afraid the basic prerequisite of secure transaction signing (“what you see is what you sign”) cannot be fulfilled on a generic “FIDO2 authenticator” – you need the authenticator to have a display. Sure, Windows Hello / Android FIDO / … might support this, but your common hardware Yubikey cannot.

I don’t know to which authentication method used by which bank in which country you refer in your “58430012” example, but this is definitely nothing which could be used as a method of transaction signatures in banks here, and it does not fulfill the requirements of the PSD2 regulation.