zlacker

[parent] [thread] 6 comments
1. ryukaf+(OP)[view] [source] 2022-01-27 22:11:23
This should be obvious from your comment but I think it's worth calling something out explicitly here: a bank that does that is mandating that you accept either Apple's or Google's terms of service. That's a lot of power to give to two huge companies.

I think we'd do well to provide the option to use open protocols when possible, to avoid further entrenching the Apple/Google duopoly.

replies(3): >>lotsof+WE >>floatb+3t1 >>jgerri+N82
2. lotsof+WE[view] [source] 2022-01-28 02:41:09
>>ryukaf+(OP)
That is a job for the government. They should have made electronic payments and electronic accounts for everyone a utility many years ago.
replies(1): >>franga+Kl1
◧◩
3. franga+Kl1[view] [source] [discussion] 2022-01-28 10:12:45
>>lotsof+WE
This 10000x! A bank account is sure as hell more of a utility than a landline!

You need a bank account to do basically anything and yet consumer banking is largely unregulated (in the consumer relation sense, they are regulated on the economic side of course). Payments take upwards of 24h and only during work hours (?!?), there are no "easy switch" rewuirements, mobile apps use shit like SafetyNet and I've had banks legit tell me "just buy a phone from this list of manufacturers"... PSD2 is trash that only covers B2B interoperability and mandates a security method that has been known as broken since its invention (SMS 2FA).

4. floatb+3t1[view] [source] 2022-01-28 11:18:18
>>ryukaf+(OP)
What bank doesn't have a regular web app?
replies(2): >>duckmy+Mx1 >>dathin+dS1
◧◩
5. duckmy+Mx1[view] [source] [discussion] 2022-01-28 11:54:41
>>floatb+3t1
In the future banks may start accepting connections only from a handful of approved browsers. Similarly to how 4k steaming on Netflix is not available on all browsers.
◧◩
6. dathin+dS1[view] [source] [discussion] 2022-01-28 14:14:34
>>floatb+3t1
It's about the EU mandated 2FA auth for online shopping.

E.g. with an credit card.

Due to the way it integrates into websites (or more specifically doesn't) classical approaches like SMS 2FA (insecure anyway) but also TOTP or FIDO2 do not work.

Instead a notification is send to a preconfigured app where you then confirm it.

Furthermore as the app and payment might be on the same device the app uses the fingerprint reader/(probably some Google TPM/secrets API idk.).

Theoretically other approaches should work, but practically they tend to not work reliable or at all in most situations.

Technically web based solutions could be possible by combining a FIDO stick with browser based push notifications, practicality they (Banks) bother or there are legal anoyences.

7. jgerri+N82[view] [source] 2022-01-28 15:30:44
>>ryukaf+(OP) 

  I think we'd do well to provide the option to use open protocols when possible.
Of course, the PR copy just writes itself, doesn't it? AD administrators, Apple and Google, banks and everyone else can benefit from context aware authorization.

If the state of your phone is stolen or "compromised", you want immediate Peace of Mind.

Even if it's just misplaced, having that kind of flexibility is just great.

[go to top]