zlacker

[return to "Do not download the app, use the website"]
1. wouldb+Ha[view] [source] 2025-07-25 23:27:34
>>foxfir+(OP)
I understand but it’s not always with bad intentions.

In the Netherlands we have a system called DigiD to login into to most government websites like your taxes and city, etc.

When I contracted for the city of Amsterdam I learned they’ve been pushing hard for the DigiD app to two factor authenticate instead of text message, because of contracts Digid charges a lot per text message validation and none for app.

◧◩
2. bramha+Nb[view] [source] 2025-07-25 23:37:00
>>wouldb+Ha
In this case there is also a perceivable benefit for the user. SMS 2FA is vulnerable to sim swapping, this is not possible when TOTPs are delivered in-app. The app is also FOSS [1], so even if you're paranoid you can still inspect what data is sent.

There are also just some things you cannot realistically do in the browser (or over SMS) without having to ship specialised hardware to 18 million people, like reading the NFC chip of your passport. This is needed for DigiD Substantieel and Hoog, which are mandated by the eIDAS regulations.

[1] https://github.com/MinBZK/woo-besluit-broncode-digid-app/

◧◩◪
3. esseph+7e[view] [source] 2025-07-25 23:59:10
>>bramha+Nb
TOTP is able to be intercepted on the device.
◧◩◪◨
4. bramha+3f[view] [source] 2025-07-26 00:06:11
>>esseph+7e
Yes, and that's also true for SMS messages and your passwords. That is why having MFA is important.
[go to top]