zlacker

I understand but it’s not always with bad intentions.

In the Netherlands we have a system called DigiD to login into to most government websites like your taxes and city, etc.

When I contracted for the city of Amsterdam I learned they’ve been pushing hard for the DigiD app to two factor authenticate instead of text message, because of contracts Digid charges a lot per text message validation and none for app.

>>wouldb+(OP)
In this case there is also a perceivable benefit for the user. SMS 2FA is vulnerable to sim swapping, this is not possible when TOTPs are delivered in-app. The app is also FOSS [1], so even if you're paranoid you can still inspect what data is sent.

There are also just some things you cannot realistically do in the browser (or over SMS) without having to ship specialised hardware to 18 million people, like reading the NFC chip of your passport. This is needed for DigiD Substantieel and Hoog, which are mandated by the eIDAS regulations.

[1] https://github.com/MinBZK/woo-besluit-broncode-digid-app/

>>wouldb+(OP)
The DigiID app could interact with websites, that's how it works for many other digital IDs in europe.

For example with bankID (sweden, and I think the norway version does the same) when you need to authenticate you either scan a QR code with the bankID app or select "on the same device" and then the website will interact with the bankID API to auth.

Either way you don't need your own app to get proper auth working with this sort of government login.

(With bankID the app devs still pay a per-auth price, but that is not due to any technical reason, just because its made by a profit-driven semi-monopoly)

>>wouldb+(OP)
True, but it does force citizens into a contract with either Apple or Google. I don’t think that is a good idea both from the perspective of individual freedom and national sovereignty.

>>nehal3+o2
Nothing beats a hardware token.

I would also use Yubikey for banking, but I am scared as f. what happens if I lose it while traveling abroad.

>>Beijin+E2
Carry two, leave another in a safe somewhere in your home country?

Otherwise, yeah... Passkey it is

>>bramha+61
TOTP is able to be intercepted on the device.

>>Beijin+E2
I think it should be standard to allow registering multiple tokens, which would be equivalent to a backup for your purposes.

>>esseph+q3
Yes, and that's also true for SMS messages and your passwords. That is why having MFA is important.

>>wouldb+(OP)
This could have just been TOTP.

>>catlif+E3
You can copy this if you buy two. You would have to store one somewhere, where it can be fedexed to you.

>>msgode+t4
TOTP standard made sense, but mainstream implementation was user-hostile at the start with stuff like Google Authenticator not letting you copy keys, then afterwards still making it unclear under what circumstances they're backed up. Nowadays it's user-unfriendly at best.

I like how we went full-circle to Passkeys which are basically a "remember me FOREVER" button, implemented kinda like SSH keys. Should call it that too, and also ditch the like 4 prompts it gives you first.

>>bramha+m4
You can't intercept a passkey in the same way.

It is also far less likely to be phished, and there is nothing transmitted.

TOTP is the modern WPA2 of security - it's just not good enough when better alternatives exist.

>>frollo+V5
>"remember me FOREVER" button, implemented kinda like SSH keys.

Here's a better idea: just use openssh or at least openssh's key formats since none of the big companies can manage anything better.

>>msgode+nk
That would've been nice, cause instead Passkeys are kinda locked into whatever walled garden you chose.

>>esseph+i3
The principle issue with hardware keys as implemented today via FIDO2 or U2F is that you can't enroll them without having them in your physical possession, which means if you have a backup key stored offsite, you have to fetch it anytime you sign up for a new service.

>>Beijin+E2
I don't want a hardware token generator since it is guaranteed that I will lose it.

>>Beijin+H5
No need to fedex, just have a trusted person read you the code back over the phone.

>>Beijin+E2
I wish that was an option, in most cases the phone becomes the hardware token, and that can be lost too. Or broken, or out of power or without internet connection.

I even have a personal anecdote. My wife "lost" her phone in Iceland. I make her login to find-my-phone with her google account, and 2fa was needed. Thankfully she had her Yubikey in her keychain (plus, we enrolled each other's key), so she was able to login. Push notification or TOTP/SMS were all not an option.

>>devman+5n
A good strategy for this is to enroll it at day 0 for the most sensitive systems (e.g., password manager, email accounts). This way you are able to use it as a backup in the sense of giving the option to reset or access (e.g., via backup codes) all the services, without being necessarily enrolled in all of them.

>>SahAss+k1
This is the exact same as DigiD, except that there is no cost per-auth, only per-sms. The parent comment is saying that Amsterdam wanted the users to install the DigiD app instead of relying on SMS authentication.

>>msgode+t4
At that scale, the amount of support getting a city of people to understand that is overwhelming.

>>esseph+H9
What kind of risk profile does one have when it is likely that both the password is known and malware has been installed on the phone, but also just access to an ephemeral login session by the attacker (which could be obtained even when using a secure enclave by waiting for the user to authenticate by themselves) would not be enough?

>>lieuwe+TU
> password is known

What password?