undefined | Better HN

0 pointsRisse24d ago0 comments

Check out this thread on Sailfish OS forums regarding EU Banking apps. I was surprised on how many actually work.

https://forum.sailfishos.org/t/banking-apps-on-sailfish-os/1...

0 comments

If this is similar to LineageOS, then it's always potentially only a matter of time until some banking and payment apps stop working due to failing security attestation pushed by a Google update.

We need native apps that pass attestation out of the box for that phone/OS, not relying on hacks that may or may not work in the future.

This is not good UX and it poisons the well if you push users to a new platform then they discover some apps don't work as you promised.

femto24d ago

Beats me why banks can't use a FIDO2 enabled web site.

Hackbraten23d ago

Because FIDO2 is not enough for non-tech-savvy people. The main issue is potential confusion about what transaction they’re actually signing. For example, a malicious browser extension can pretend the site sends money to X while actually sending it to Y.

The European PSD2 directive mandates that the 2FA scheme must let the user see what they’re about to sign. At the very least, that includes the amount and part of the recipient’s IBAN. FIDO2 doesn’t have that.

It’s the reason I own a device that looks like this [0]. Without it, I wouldn’t be able to transfer money at all due to the lack of banking apps that work on Linux phones.

[0]: https://en.wikipedia.org/wiki/Chip_Authentication_Program

1 more reply

joe_mamba24d ago

Banks used to give us those RSA tokens in the past for securely logging in to the web UI, but then discovered they can cut down on cost since everyone has two brands of smartphones.

1 more reply

j / k navigate · click thread line to collapse

0 comments

joe_mamba24d ago

If this is similar to LineageOS, then it's always potentially only a matter of time until some banking and payment apps stop working due to failing security attestation pushed by a Google update.

We need native apps that pass attestation out of the box for that phone/OS, not relying on hacks that may or may not work in the future.

This is not good UX and it poisons the well if you push users to a new platform then they discover some apps don't work as you promised.

femto24d ago

Beats me why banks can't use a FIDO2 enabled web site.

Hackbraten23d ago

It’s the reason I own a device that looks like this [0]. Without it, I wouldn’t be able to transfer money at all due to the lack of banking apps that work on Linux phones.

[0]: https://en.wikipedia.org/wiki/Chip_Authentication_Program

1 more reply

joe_mamba24d ago

Banks used to give us those RSA tokens in the past for securely logging in to the web UI, but then discovered they can cut down on cost since everyone has two brands of smartphones.

1 more reply

j / k navigate · click thread line to collapse