zlacker

[parent] [thread] 5 comments
1. bramha+(OP)[view] [source] 2025-07-25 23:37:00
In this case there is also a perceivable benefit for the user. SMS 2FA is vulnerable to sim swapping, this is not possible when TOTPs are delivered in-app. The app is also FOSS [1], so even if you're paranoid you can still inspect what data is sent.

There are also just some things you cannot realistically do in the browser (or over SMS) without having to ship specialised hardware to 18 million people, like reading the NFC chip of your passport. This is needed for DigiD Substantieel and Hoog, which are mandated by the eIDAS regulations.

[1] https://github.com/MinBZK/woo-besluit-broncode-digid-app/

replies(1): >>esseph+k2
2. esseph+k2[view] [source] 2025-07-25 23:59:10
>>bramha+(OP)
TOTP is able to be intercepted on the device.
replies(1): >>bramha+g3
◧◩
3. bramha+g3[view] [source] [discussion] 2025-07-26 00:06:11
>>esseph+k2
Yes, and that's also true for SMS messages and your passwords. That is why having MFA is important.
replies(1): >>esseph+B8
◧◩◪
4. esseph+B8[view] [source] [discussion] 2025-07-26 00:56:10
>>bramha+g3
You can't intercept a passkey in the same way.

It is also far less likely to be phished, and there is nothing transmitted.

TOTP is the modern WPA2 of security - it's just not good enough when better alternatives exist.

replies(1): >>lieuwe+NT
◧◩◪◨
5. lieuwe+NT[view] [source] [discussion] 2025-07-26 11:31:06
>>esseph+B8
What kind of risk profile does one have when it is likely that both the password is known and malware has been installed on the phone, but also just access to an ephemeral login session by the attacker (which could be obtained even when using a secure enclave by waiting for the user to authenticate by themselves) would not be enough?
replies(1): >>esseph+Tr1
◧◩◪◨⬒
6. esseph+Tr1[view] [source] [discussion] 2025-07-26 16:44:03
>>lieuwe+NT
> password is known

What password?

[go to top]