Webapps solve this completely. You login to a service as we have been doing forever. And the control is still on their side when you use a webapp. Almost every single app that is on my phone can be a webapp.
Webapps solve this completely. You login to a service as we have been doing forever. And the control is still on their side when you use a webapp. Almost every single app that is on my phone can be a webapp.
Websites as platform can't solve a problem that's social in nature - that it's allowed and accepted for organizations to have such excessive, invasive levels of control.
The parties I accuse of driving this problem didn't suddenly go rogue when smartphones happened. They always wanted this level of control (and much more) - they just couldn't get it until relevant technologies matured enough.
I'm not speculating here - we have actual empirical evidence to confirm this. A clear example is that there are several countries that, unlike the US and most of Europe, went all-in on Internet banking back before smartphones. Web limitations and conventions didn't stop them from doing the same thing everyone is doing with the phones now - the banks there just force customers to install malware on their computers, so they can do some remote attestation and KYC (and totally no marketing data collection) on their PCs.
Most of the West never had this because of the inverse of leapfrogging phenomenon - big, developed economies had too fast progress and at the same time too much inertia to fully adopt a pre-smartphone solution nation-wide.
My bank had website which I can log in and just use. It does not force me to install anything. I need to type username, password and SMS code, that's about it.
Every org doesn't provide that choice. If your child's activities class only communicates via an app and that is the only option in a given radius, rejecting that will mean you child doesn't get to do their activity. There are other examples that are more way more serious and make avoiding installing apps infeasible.
Because your bank isn't even trying to be secure, relative to what's considered industry standard.
Be grateful while it lasts.
Why do you think their bank "isn't even trying to be secure"?
Because SMS is not considered a secure 2FA mechanism anymore, and hasn't been for a while. If that's the default for that bank, and not GP going out of their way to pick a legacy access path, then they're about a decade behind what's considered industry standard -- which today is querying a second factor not just per login, but also per important operations (money transfers, dispositions, changes in settings), with the second factor being by default a smartphone with hardware and software integrity verified via remote attestation.
Then literally every US business and government is not trying to be secure. I cannot name a single organization that does not have the option of or requires SMS 2FA.
I think the government and large businesses like it that way, as it makes the mobile network providers as a sort of credit check (or “are you worth dealing with”) mechanism.
Now that is more of a problem than a bank. Which is why someone beeds to integrate OTP tokens into ID cards, closing the issue.
I haven't heard a compelling reason why remote attestation is more secure.
The whole point of 2FA was to have two devices that you own. Now the bank is forcing your login and 2FA to be on the same device. Which is the easiest device to steal.
What about SMS is somehow worse than that?
It's fairly easy to get control of anyone's phone number without interacting with them in any form. Just some social engineering at the kiosk in the mall.
It is extremely common for people's phone numbers to be stolen (even if temporarily), and then their bank accounts drained.
> Just some social engineering at the kiosk in the mall
What scenario does a kiosk at the mall get control of my phone number but not control of my phone? I don't see how remote attestation solves anything here. Does the bank suddenly know a stranger is holding my phone?
We go from me needing to open a web browser on my computer and getting verified on my phone, to now my most important operations have to be from my phone. That's worse.
I am not arguing for some alternate solution. But sim swap attacks are common and relatively easy to do [1].
> The scam begins with a fraudster gathering personal details about the victim .... the fraudster contacts the victim's mobile telephone provider. The fraudster uses social engineering techniques to convince the telephone company to port the victim's phone number to the fraudster's SIM. This is done, for example, by impersonating the victim using personal details to appear authentic and claiming that they have lost their phone.
SMS 2FA should simply not be used if one cares about security.
[1] https://en.wikipedia.org/wiki/SIM_swap_scam
> What scenario does a kiosk at the mall get control of my phone number but not control of my phone?
You can e.g. smooth-talk the customer service at a kiosk to give you replacement SIM card for the one you've "lost".
This is why banks increasingly don't trust your phone number, and their apps tie themselves to the phone itself, i.e. to hardware and OS IDs. But to trust those IDs, they need the phone to pass remote attestation.
Uh, banks still provide separate tokens and one time pad cards last I've heard.
If yours doesn't, pick one that does.
The larger point here isn't whether they do, but that they'd rather not. They want you to rely on their app, and have been pushing people to it for years now (some more intensely than others).
> clear example
> several countries
Doesn't name a single one
...
South Korea is, the go-to example I've seen brought up on on HN many times over the years. AFAIR, they used to legally mandate ActiveX controls to access banking and government portals, and that practice continues to date even though the legal mandate was dropped. From what I read, there's still a set of applications that are commonly required to access banking and tax filing services, that purport to provide a degree of remote attestation and "security" (firewalls, detection of keyloggers and screen capture), and to access digital certificates.
Brazil is another example - ironically, the software suite that's commonly required for banking is named after the capital of the country I live in :).
Some quick searching now also flags Slovenia and Serbia as places where some banks require custom desktop (or even Windows-specific) software to access banking services.
This works only as long as the webapp allows you to log in using a username/password and/or 2FA which is not tied to a smartphone app. More and more countries are moving to digital identity solutions, and while many of them offer hardware tokens as alternatives to apps, the future looks like one where smartphone apps will be only option.
Banking websites will tell you that you need 2FA. Of course you need to use not just any 2FA you need to use their app and of course you don't need a 2FA if you use the app directly for banking. My companys equity app does not even want to run on lineageos. At the moment it looks like a 2 phone will be necessary at some point.
The revised Payment Services Directive (PSD2) in EU describes standards of strong authentication and for the end user it means that mostly the bank's mobile app is being used as 2FA for logins and operations within the account
I'm not sure if physical tokens are being used anywhere but if they are, that's rather rare nowadays. It may be an option reserved in bigger banks or for business customers - I can see one of banks in my country offers it for a request and not by default.
Edit: it seems it's a feature for business indeed and banks opted for Cronto system - https://www.onespan.com/products/transaction-signing/cronto
For now, my banking app actually runs on GrapheneOS. My digital identity app that it requires to log in does not, but luckily my government also offers an NFC chip that I can just scan instead.
Two phones is such an unsatisfactory solution because it will be too impractical, too expensive, or both, for the vast majority of people.
Is there anything preventing use of something like Keepass vaults as your 2FA solution?
Yes, the fact that these 2FA systems aren't based on time-based one time passwords you're probably thinking of. It's a push notification that you need to open and approve in the official app.
The 2FA is not TOTP, it’s push notifications to the bank’s proprietary app
They're working hard on shutting that down as well with Passkeys. It's only a matter of time until the only way to log in will be through de-facto proprietary apps.
But, it doesn't. The browser is unsupported for many of the above-mentioned applications.
Can I get an example of a single one that can't be found on the web?
I seem to remember Venmo and Cash App had near useless web portals. TikTok's web app is very poor. Reddit's mobile app has functions not available on web. I bet the McDonald's web site doesn't let you order for pickup and get the deals (does Starbucks?). CapCut's web site sucks, and their desktop app is missing a bunch of features the mobile app has. I'd guess an absolute ton of betting apps don't work on the web because they are trying to do good location checking. Does Shazam even have a web version? What about mobility apps like Uber/Lyft and the bike/scooter ones?
On the flip side of the coin, some places are locked to web apps because Google & Apple won't allow them to exist. e.g. OnlyFans and Playboy can't get in the app stores, but OnlyFans still manages to make several billion dollars a year, most of which is almost certainly mobile.
I think you're misunderstanding my conjecture. My point is that there is no technical reason these features can't live on the web. I'm not talking about the incidental or intentional decision by some company to force user behavior by not providing a web solution.
Yes, theoretically anyone could build anything. Building it is not, nor was it ever the hard part.
There’s no financial, political, or mass market incentive for browser APIs to have feature parity with mobile OS APIs. Approximately nobody wants to do what you’re asking for. If anything, there are incentives against doing this.
Netflix? Telegram's push 2FA? Any mobile wallet application? The vast majority of dating apps? Any of the app-only social networks? Basically all keyless entry applications?
All functionality found on the web.
Have you tried?
* Netflix does not load in a mobile browser, it directs you to download their app.
* web.telegram.org sends a 2FA push notification to their app
* Apple wallet/ Android wallet do not have web apps
* Popular dating apps, e.g. Hinge do not have web apps
* Some social network apps, e.g. BeReal do not have web apps. Many others have reduced features.
* I have never seen a keyless entry app that supports the web, at least not from a mainstream manufacturer.
Can you name a single browser app that can do NFC payments in the US?
Firefox supports Netflix web app. It prompts you to install the Widevine plugin.
I use Netflix web version on my linux desktop all the time.
We were talking about mobile browsers. Obviously I am aware that people watch Netflix on their laptops.
Being a web app doesn’t mean shit. We already have DRM encrypted web content where the consuming device requires some attestation to decode. I.e. Widevine.