undefined | Better HN

0 pointsvladvasiliu2y ago0 comments

But except for some dinosaurs insisting on SMS (which you can receive on a dumb-as-bricks phone), you can absolutely have 2FA without a smartphone. Most password managers handle it, with the bonus points of checking the domain when entering the TOTP. If you want separate baskets for your eggs, you can use dedicated TOTP apps (Authy works fine for my needs). You can even roll your own. You can use an external token like a YubiKey.

I may be missing something, but I have a really hard time understanding the "corporate backdoor / overwatch / control" argument when it comes to MFA.

0 comments

5 comments · 1 top-level

swiftcoder2y ago· 4 in thread

Where I live the banks all require that you install their own smartphone app in order to confirm transactions. Literally not possible to confirm online transactions with a dumb phone (or a laptop for that matter, unless you can run the mobile app in an emulator).

KronisLV2y ago

> Where I live the banks all require that you install their own smartphone app in order to confirm transactions.

Same here in the Baltics, something like SmartID is prevalent and all major banks ask you to use it: https://www.smart-id.com/

Sometimes it's even integrated with document e-signing, to the point where it's hard to say where convenience ends and dependence begins (since something like TOTP or PGP aren't offered as alternatives).

vladvasiliuOP2y ago

After a quick glance over the site, it seems the system is fairly open, and they explain how they use the keys. The part on which I'm not clear is the app: is it not possible to build your own app that complies with their various interfaces, which would run on, say, a PC? Those seem to be documented.

1 more reply

vladvasiliuOP2y ago

In my case, I think something must have happened because that used to be the case. You might be able to jump through some hoops to avoid that (never tried), but the funny thing is that I didn't do anything with my "professional" account for it to automatically switch back to SMS. The first time it happened, I was actually surprised and thought something fishy was going on.

Al-Khwarizmi2y ago

Maybe some law forcing that has passed in your country? I would find it odd that banks would voluntarily decide to stop forcing their app on users.

1 more reply

j / k navigate · click thread line to collapse