> Not in Spain. I can access my bank's website but I can't do anything without their bank app.
I don't know about Spain specifically, but as far as I understand it no bank in the European Economic Area + UK should allow banking via just the website alone anymore, because of the "Revised Payment Services Directive" (PSD2) regulation.
Essentially, banks are required to implement "strong customer authentication", which in essence is just multi-factor authentication with a password + either biometrics or a security device of some sort.
And in practise that means a banking app, because most people do not want a separate token they have to buy and can lose. Though a lot of banks do offer those as well.
In Estonia you can easily do banking via the website on all the banks (LHV, Swedbank, SEB). That said, we do have it all integrated with our digital-ID (which every ID card has private keys encoded into with a PIN you know) so it's not like you can access it with a simple password (our online voting works the same way).
Can the PIN change? How to issue new key if needed? How does it integrate with the voting?
Voting, much like all other things in Estonia such as getting married/divorced, doing taxes, signing documents, starting/closing companies, notary dealings, bank dealings, selling/buying vehicles, and many more things I can't even think of right now are entirely done via the digital ID that every citizen has. This means that you authorize/sign actions with it, including voting, because only you have your private keys (either in your personal ID card, in your phone's sim card, etc) that you yourself know the PIN for, which then authenticates you as being you. I think we're now at a point where there isn't a single government or business dealing you can not do entirely online (https://e-estonia.com/solutions/).
> in your phone's sim card,
Phones and sim cards a lot more temporary than ID cards. I don't know of a lot of theves that target ID cards for their authorization uses. Phones... people will steal those.
You can close your Mobile-ID when your phone gets stolen so the security keys on it will be useless, and even if you don't close it, nobody can use your security keys without your PIN, which is in your head.
> Can the PIN change?
You can change it in the app, yes.
> How to issue new key if needed?
I think you’ll have to reissue your ID.
There’s also digi-ID (similar e-signature certificate on a card, but without any ID features), Mobiil-ID (e-signature on a SIM-card, no idea how it works), Smart-ID (in app, tied to secure storage in Android/iOS, cross-signed by the server which is supposed to check the device somehow) and probably something else I don’t remember. All of these are independent options, so you can, for example, revoke your Mobiil-ID if you lose your phone, and still use the your main ID card to sign things.
> You can change it in the app, yes.
Is the app tied to Google or Apple?
Nope, there’s a desktop version, too. And it’s all free/open source: https://github.com/open-eid
(Though Smart-ID is its own thing and is a fair bit more locked down, but I’ve managed to get it running on a phone without Google services IIRC.)
Wow, that is definitely more sophisticated than we have in the states. It seems like you can use it for things that one would otherwise need a notary for, that is such a timesaver.
Wow, that is nice!
How much the certificate costs and lasts?
It costs as much as your ID card costs by the government, and lasts as long as well. They are one and the same. Applying for a new ID card / national ID document in Estonia costs 35€ and the document is valid for 5 years. If you forget your PIN code, you can reset it with your PUK codes, but if you also lose your PUK codes you need to apply for a new ID card. The process for getting a new ID card from the moment you applied for it takes no more than 30 days. You can also have it fast tracked for 250€ and get it in 2 days.
But, like the parent said, you have many other options other than the physical ID-card as well. Most people these days use Mobiil-ID or SmartID, which works on your phone and even smart watch. SmartID is completely free and Mobiil-ID is tied to your phones carrier, so the cost varies, but it's a one-time set-up fee of around 5€. Mobiil-ID certificate also lasts 5 years.
TOTP not accepted?
(When will people learn that biometrics are not another factor: they're entirely public and irrevocable. It's not just security theater, but Apple & Google know that this forces you into their ecosystem, which should be illegal. Of course, Brussels is full of rubes anyway.)
The question is what generated that TOTP code. The banks must ensure that they "are independent, in that the breach of one does not compromise the reliability of the others," as article 4(30) states. That text is vague as hell, but published opinion of the European Banking Authority on the matter[0] is:
"a device could be used as evidence of possession, provided that there is a ‘reliable means to confirm possession through the generation or receipt of a dynamic validation element on the device’"
So in essence the TOTP has to be bound to the device in a way that prevents users from just extracting the secret and putting in in their password manager. Hypothetically that would still allow Yubikeys and other security keys that provide attestation from the factory, but in practise banks probably don't want to deal with the support headache and just provide their own, like the TAN generator mentioned by other commentors.
Two other highlights from the interpretation of the EBA:
"App installed on the device" -> not sufficient/compliant
"In the case of an SMS, and as highlighted in Q&A 4039, the possession element ‘would not be the SMS itself, but rather, typically, the SIM-card associated with the respective mobile number’."
"SIM-card associated with the mobile number" - is that even technically possible? Do mobile carriers provide a API for banks to verify that a number still corresponds to the same SIM card? If so I've never heard of it.
[0] https://web.archive.org/web/20191207213213/https://eba.europ...
But they do use apps, and since everything happens on a smartphone - a single point of failure - they aren't independent.
Like most security regimes, it's both overly prescriptive and woefully insufficient. In short, dumb. :(
TOTP not accepted, because the confirmation for payment must include the amount to be paid, which cannot be done under TOTP as far as I know.
Some UK banks (Nationwide and Barclays I know for certain) have had mini card-reader PIN devices since around 2010 that they've given customers, that basically generate on an LCD screen an 8-digit code for authentication.
When confirming a large transfer, you also need to enter the payment amount in the device, and I assume this gets hashed into the number as well.
More recently (last 3/4 years), you can also use their mobile app to do this instead / as well as.
Moved from the UK to Germany. My German card reader is even better, no manually entering the transaction details, I just scan a QR code from my laptop, and the card reader display shows the IBAN and amounts, before I confirm to get the code.
> And in practise that means a banking app, because most people do not want a separate token they have to buy and can lose.
It can be SMS. As said in another comment, the main banks in Spain offer this authentication method while being PSD2 compliant. Some also offer a card with coordinates. So it's not mandatory in any way to use a banking app.
Probably not for much longer though. Several countries, including mine, have already banned SMS 2FA for banking, and it's likely that that will be implemented for all of Europe in the near future, possibly with PSD3. Not that SMS 2FA was ever a good idea in the first place.
But yes banking apps are not mandatory, and likely won't be in the near future either, though the alternatives are treated a bit like second class citizens.
My bank offered that option but not anymore. The use of their app is mandatory now.
Edit to add this anecdote. My bank told me I need to use their app because SMS is not secure, but you need to activate their app using an SMS code!