Also, they still expect you to authenticate when they phone you. No, I'm not going to tell you my birthday when you phone me. No wonder so many people get scammed, when banks are training people on how to get scammed.
Recently had to call Discover because of unauthorized use of card, apparently to buy Facebook ads of all things. They didn't call me, just locked my account and said I had to call them. I couldn't even pay the balance until I did.
Anyway they needed to verify my identity, so they ask me for some info from the back of the card and a phone number that they can send the OTP to. I give them a phone number, it's not even the one on the account, they send the text to it. The text message says that the bank will NEVER ask for the code over the phone. They ask for the code, I give it to them, identity verified.
> and a phone number that they can send the OTP to. I give them a phone number, it's not even the one on the account, they send the text to it.
This regularly blows my mind.
Presumably it’s some data broker or phone carrier integration, because for me, the answer is usually “sorry, we can’t verify that number, is this a postpaid contract in your name?”
No, it’s not. Oh, that’s a requirement for doing business with you? In that case, I won’t.
People get new phones and new phone numbers. Frequently, compared to landline days. The alternative is to be permanently locked out of everything if you get a new phone number.
Well, I’m not doing business with a company that trusts any random phone carrier’s identity assertion more than me in determining what is and isn’t my phone number, so I guess it works out nicely.
And if a company can’t be bothered to have a fallback verification flow in case I do lose access to my phone number somehow, that doesn’t increase confidence either. I’m a person, not a phone number.
The parent's gripe is presumably about many bad SMS-based 2FA implementations banning non-post-paid numbers from use.
E.g. Blizzard (assuming they still do this)
If they want to be aggressive about fraudulent activity, fine, but don't restrict perfectly valid phone numbers from being used in their required 2FA scheme.
Wells Fargo too. Every other banking institution says never to give an OTP to someone on the phone, but that's exactly how WF verifies you when you call them. The only thing is that they do text the number already on file with them, not a number you give them on the fly, but that's only microscopically more secure.
Background check for a new employer resulted in me getting an email to my personal account:
"Hi, I'm XYZ from XYZ background checks, I'm conducting your pre-employment check, and I just want to confirm that your full name is V, your DOB is W, your place of birth is X, your address is Y and your full SSN is Z...
... and that this is the correct email address for you. Please confirm."
Holy hell. Thankfully I reached out to the employer about this (and the background check company's attempt to reach out to my partner on Facebook for ... something? This wasn't a security check, just a regular employment background) and they were as horrified as me, apologized, and fired their background check provider.
Hah, my employer in Sweden recently started using one of these security training companies. They send you emails with some online courses you're supposed to do and then send occasionally phishing attempts etc. and when you fall for one they send you an email what you did wrong.
Out of interest I clicked on the link in one of their "phishing" emails and I was redirected to a link where they essentially told me "never click on links in emails, you never know where they lead to". One week later I get an email "please click on this link to complete the second part of your course". Obviously I never completed their course, they told me never to click on links.
What's even worse is that they don't even use their own domain for the courses, but some random looking domain.
I'm a software dev. When I get phising mails I often click the links to check out what the scam is. I open in a separate browser I don't usually use, so there isn't anything in it for the phising site to gobble up. And yeah I trust that the browser sandbox I good enough, that no one is going to waste a zero day exploit on me in order to break it - hackers also have economic constraints. If I was working on something super sensitive, then I should use a vm, but I'm not so I don't.
I also did this at work, and yeah it was a fake phising mail sent by a security company, and I had to do a quick 20 min online course on email security best practices. Yay. Me and like 3 other dudes, who clearly all also understood it was phising and were just curious about the scam.
When they introduced the weird fake phishing mails at my last work place I checked the email headers and just filed it into a separate folder. My coworkers were happy to get rid of the spam as well.
My rule is simple: if you contact me, you are the one that had to authenticate. Otherwise you are probably a scammer.
Although, I haven’t had many instances of communications from my bank where I cared about them authenticating. Like, if they tell me there is a problem, I can go check it out through the app, website, or whatever the user-initiated channel is. When I feel like it.
I don’t have a good way to authenticate someone is calling from the bank on my end.
I ask what the basic issue is, then call the general bank number (or a number to their department, which I validate online before calling it). That way I’m initiating the call to a trusted number, and they can go through their process to authenticate me. Every time I’ve done this the person calling has understood and seemed to appreciate the caution.
Unless the system you use the check that balance is compromised on your end or their end. If you have malware, they can be looking at the same numbers you’re looking at, so that isn’t fool-proof. If your account is already compromised, they may just be phishing for 2fa tokens to initiate some kind of account change, like the kind that would complete their total account takeover, at least until you or the bank notices suspicious activity.
It is such a goddamned tragedy that we’ve come to this. And also an avoidable one: every E2E messaging app (WhatsApp, Android Messages, iMessage) should be able to properly authenticate the caller. But I presume services are asking too much money for this, and nobody wants to hand yet another vital service to Apple/Google/Meta. So instead we all suffer.
Be careful what you wish for. This problem is solved in China — you can contact many government agencies and major companies over WeChat and be sure that you're talking to the real entity, but the downside is that WeChat has a copy of your passport and knows everything about you.
I stick to this except when I make some unusual credit card purchase and immediately get called to verify it. I don't like it, but usually I need to make the purchase. If someone had the feed of risk denied CC purchases, they could gather a lot of personal information. Probably there is lower hanging fruit for fraud.
Can be both. You need something from a bank (for example a money transfer), and they call you to confirm. In my case this is 99% of all incoming bank calls to me.
I don't know what your point is then. I've gotten important calls about fraud that it was certainly in my interest not to ignore. And it's easy to call back to verify it's the bank.
It's stupid to give out credentials over the phone, but it's stupider still to have a system where one's birth date is a credential that is supposed to remain confidential.
If only there was tamper-proof, cryptographically secure chip in everyone's pockets, coupled with a handheld device that can wirelessly "read" that chip.
If it's in your pocket, then you might leave it in your other pants. Better to just have that chip embedded in your palm. You can even fashion it with LEDs that change color with your age. When you reach 30, you can then be told your Last Day has arrived and they are ready for Carrousel. I'm sure we can fold in plenty of other sci-fi tropes all at the same time too
Birthdates are frequently asked in US health settings not as a protection against attack, but as a protection against mistake.
They are not worried that someone is going to come in, and steal your appointment. They are worried that someone with the same name as you might show up on the same day and the doctor might treat the wrong patient with the wrong information.
This is an completely different risk profile than a form on the internet.
They also should be specific to ask you to say it, not confirm what they say
Because I have literally seen this go wrong: “Mr John Smith, you’re here for procedure X, yes?”
“Yes”
Some other provider overhears: “I thought that was Mr Jones for procedure Y”
“Are you Mr smith or Mr Jones?”
“Mr Jones”
“Then why did you say yes when I asked if you were Mr Smith”
“I assumed you knew best”…
I have the same name as my father (first and last, , different middle). We live at the same address. It’s a small town so we share a lot of the same doctors. We use the same pharmacy.
For just a bit of extra spice are birthdays are only two days apart.
This is how we unintentionally found a relative of my former girlfriend. Went to a small pharmacy to pick up medicine for DF, where the F is a really weird last name. They were like I just filled that, reached back and grabbed it and set it on the counter. I noticed it was the wrong address...
A person she hadn't seen or talked to in 20 years had moved to this town neither of them were from and named their kid the same name.
I had someone ask for my name. I told them my first and last name. They said it wasn't correct. After a few minutes of discussion, it turns out the person wanted my name as it appeared on my card, which is first name, middle initial, last name and a suffix. I told the person as feedback that what they asked for and what they wanted were two different things. I'm not optimistic that anything will change.
No it’s the lack of the banks setting up incentives that allow these agents to act in a better manner.
They have metrics and bosses. They do what they’re instructed to do by the banks, full stop. Or likely more precise the company that the bank contracted for the service.
It’s dehumanizing to suggest these folks lack critical thinking skills, given the incentives of the whole thing from the top down incentives their behavior. They’re only responding to the incentives of the system
The passcode to call your bank for basic customer service probably shouldn’t be the same passcode that lets people spend money on your account. Even TOTP is better than this.
There are absolutely ways to intercept a call from a targeted user that would be viable to use to gain access to a mid to high value user's funds.
SS7 call routing and rogue 2G base stations are some potential approaches.
In terms of banking security, a good (ideal) architecture would treat the user PIN as a credential which is not transmitted over insecure means. Unfortunately many banks don't do this right, and still support bank-side PIN verification (with the PIN sent over the wire to the bank), rather than using the bank card's smart card features to carry out on-chip PIN verification.
If you built a bank from scratch, for security first, you'd likely still use smart cards as bank cards, but you'd only do PIN verification on-card, so the user PIN is never exposed to even the bank - the card can securely vouch for the PIN in a manner that's far more costly for an attacker to defeat than using a $5 wrench against the user of the card to make them reveal the PIN (h/t to XKCD).
Sending the card number and PIN over the phone is just asking for trouble - mobile phone calls are decrypted at the base station and available in the clear, before being transmitted up into the wider telecoms network.
While this is true, this is a completely different threat model than most people face.
For 99% of people, 99% of the time, what they need to worry about is someone calling them suspiciously asking for key information.
The fact that targeted attacks like that exist does not make it a good idea to treat them as ubiquitous. People with the kind of money that would make executing such an attack worthwhile should be expected to take higher precautions than the rest of us with it.
In Germany, paying for goods online using Sofort (direct bank payment, not buy now pay later) literally involves typing in the same credentials used to log into online banking, that’s your account number, branch and PIN, followed by scanning a “TAN” similar to a QR code using the bank app. The only thing stopping them taking my data and logging into my banking it seems is the TAN app part, that could easily be phished.
Is this another incarnation of Sofort? Fortunately nobody is forced to used the former nor the later, you can either pay with card or just make your own SEPA transfer from any bank in Europe.
At least in Lithuania the "nobody is forced to used" is partly true. Sometimes in checkout flow you get links to big-5 banks and thats it, even tho technically entire SEPA should be ok.
It was a proud day when my bank stopped sending emails with links in them. Of course their outsourced fraud prevention dept still calls and leaves messages with callback numbers, or just asks me for PII. Fuck off.
Send people to the website to find your number, idiots.
My bank also promises to never send links. Instead, it sends all of its messages as images without any alt text, and these images sometimes contain links to retype.
My dad recently got a letter telling him that his bank account would be closed in 30 days if he didn't call the phone number listed on the letter.
Upon calling the number, you get an automated system that immediately asks for your social security number and won't let you proceed until you do.
The phone number was nowhere to be found on the bank's website nor did it appear in a single Google result.
Sounds like an obvious scam, right? Nope. It was genuinely one of the bank's official phone numbers, and I had to nag them through three separate channels to get them to add it to their website, which they did a week later.
Social Security just tried to authenticate my wife's birthday this way. She told them no, give me your phone #. It googled to SSA in Alabama and she called it up and proceeded from there.
Businesses that expect me to hand over PII when they call me certainly do get upset when I point out that I have no idea who THEY are, and that THEY called me so the onus is on them to prove who they are (typically they will claim their phone number is enough, or that I should ring the phone number that they provide).
The actual truth is, though, that the security theatre that they put on is about all that can be done when two strangers meet to prove identity.
Hey you do you know a secret that we know about you? Here's a secret about us that you are supposed to know.
The complete lack of ANY kind of security, usability, and reference-ability in telephones and the continued use of them as the default communication method in business is absolutely fucking baffling to me. It's literally the worst communication method for anything: It requires verbal back and forth between two parties that's entirely dependent on your hearing the other person, with built in opportunities for mishearing. The immediate back and forth puts pressure on people to have everything they need ready lest they have to take time to respond while they figure something out. The entire conversation unless recorded is completely lost to the ether as soon as it ends, there's no way to reference back to any history, and transcriptions over crappy phone connections are less than useless. And to top it off, there is NO security AT ALL for these things, and any attempt to screen by contacts is constantly thwarted by every business that exists having between 4 and 4 billion fucking phone numbers because everything is done with phones and everyone working there needs one.
I swear, if I got one wish from a genie, I would banish the phone from existence. It's the worst for goddamned everything. Video calls, skype calls, discord, email, texts, messaging, literally everything is better than the shitty old phone.
I had a revelation this year, I have a new bank acc and not familiar with their procedure. First few calls they did to me, they have asked some good questions, aside from my name thy were negative - e.g. did you do X thing in your app, when we both know that I did not. But then last time an operator called and asked my PII question (birthday, address etc.). I got triggered and said "eh, sorry, won't tell you because unsafe". And she went "oh, no problem then - I will auth you in the app". Lo and behold, immediately I got push from bank app with her name, phone number calling and some details. So they do have a perfectly 1)safe, 2)repeatably reliable, 3) and fast way to authenticate customers. They just ignore it mostly. I'm still simultaneously like them and is angry on them.
tl;dr - bank calling you can do auth digitally on phone, but don't do it and don't advertise it to clients.
Banking is pretty disfunctional in Sweden. Lots of bank employees seem not to want to work, i.e. they were refusing to open a bank account for me on an EU passport until I asked for written confirmation (which they have to give by law), when suddenly it wasn't a problem anymore (colleague went to the same bank some months later, same employee, was told the same thing, so it's not that they don't know the rules). That said, they do have authentification down. Essentially you use your mobile bank id (an app that you connected via your id card) and when they need to authenticate you they push an notification to your phone that you confirm (using a PIN). Only annoying thing is that mobile bank id only works on android and ios.
Can we get rid of the password expiration too? Requiring that users change their perfectly secure password every 6 months is absurd and gives the impression of security when in reality it only makes things worse.
Banks are aware that NIST and various other bodies have updated their guidance about password expiration. Even vendors like Microsoft who supply extensively to financial services, have updated their guidance about password policies.
At this point — barring edge cases of operating in geographies where regulations haven’t caught up — it’s just inertia, aka “inaction doesn’t get you fired (usually)”.
I have been in three different organisations now with this same excuse, and actually called their insurer to clarify. In all cases, the insurer asks the password policy such as expirations. Complete absence of a written policy is a problem. Non expiring passwords was not.
Someone in management took the application form and justified their own belief on security and two of those three companies still tell staff "it's because of our insurerer" even after given the facts.
One hundred percent. I’d be interested to see how many people resort to having weaker passwords just to try to remember the new password every 6 months. I know many folks are proud of their password ‘system’ of using the same word and adding different numbers every time they need to change it. Not helpful.
If the website gets one of those it works. If they get multiple example of the password systeem in action, how hard would it be to guess elsewhere? You might not even remember that you've used one variation before.
I keep a long list of strong passwords and some 50 pins in my head, at least I think I do.
I know a guy who regularly gets locked out of things. It's a terrifying process. Everything unravels.
Password1, Password2 ... Password123456789 - I can do this all day. And realy you should as a password you can easially remember is a bad password so the first part that doesn't change is the important part
This is fine for services you can easily access on a phone or computer.
My employer requires I change my laptop password every 60 days, it stores the last 2 years of passwords to prevent reuse.
I am not opening up LastPass and plugging in a 32 character random string every time I want to start my computer up. My password at any given point is either a few random words and a number, or a short (8-12 character) alphanumeric string without symbols. But you know what it always is? On a post-it note stuck to the inside of my laptop.
My employer is consciously choosing to make my laptop less secure because the CISO is an idiot.
I once joked (I think because my employer had a similar, crazy requirement) that my keyboard's firmware was programmable, and I could just reprogram that FW so that Level3Shift+some key would rattle off the month's password.
Believe it or not, "Yubikey" security keys have about 8 different configurable modes. One of them is "emulate a USB keyboard and enter a static password".
So not only could you implement your idea - you could also tell people you "log in with a yubikey" and they'll think you're at the forefront of security.
The only solution to this problem is to put your password on a post-it note in the most obvious place possible? Are we sure the CISO is the idiot in this story? This sounds like malicious negligence. I sure hope nothing that actually matters is on your system.
Well, a TPM would eliminate this user-hostile auth dance, although that security model is different than a password.
Failing to recognize and channel human behavior into positive behaviors and outcomes does suggest a level of ignorance/arrogance outside of extreme situations.
There’s probably a type of data one might handle to justify physical access threat models, but incompetence and out of date knowledge from these types is far more likely. FWIW something like a third to half of CISO’s are from nontechnical management backgrounds, based on surveys I’ve seen.
I think it’s valid to question the wisdom of a CISO using misguided password guidelines. I don’t think it’s valid to respond to guidelines you disagree with by willfully sabatoging security. You relinquish your righteous position on password security when you put your password on a post-it in your laptop.
You call it "willfully [sabotaging] security," I call it "the best alternative that doesn't leave me with a 30% chance of forgetting my password every 60 days."
1Password is smart enough to let me have a secure, non-leaked password of high complexity that I have memorized, then let me go years without resetting it. I started there and the policies have made my laptop progressively less secure over time.
> Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
8 years later, no one seems to care. Other things that the NIST doesn't recommend is rules such as "letters + numbers + special characters". What it does recommend is checking for known weak passwords, such as passwords that are present in dictionaries and leaks or relate to the user name.
And expect people to still implement it in the future, based on documentation from some consultancy that hasn't disseminated the new recommendation internally to their implementation engineers.
Identity providing is a natural monopoly and should be provided by the state in same manner as a passport is provided.
We can discuss the implementation but in Denmark and quite a few other countries, the login problem in online government services and banking is solved by a single state run identity provider (MitID) and hopefully the EU will be succesful with their EIDAS initiative and provide a solution that works across country boundaries.
In the U.S., identity providing is not a role the government fills. Not everyone has to have a passport, for example. A passport is merely a purpose-specific tool for crossing borders, not general identity.
You have plenty of government id's in the US as well. Driver licenses, tax number, birth certificates ...
I think often people mess up the subjects of privacy, freedom and a government provided id. You can have privacy and freedom even if you have a government issued id. And you can have your privacy and freedom taken away from you without the government giving you standardized way of proving your id.
You can’t have privacy if everyone uses the government as an SSO.
People might be more amenable if SSO wasn’t implemented as these stupid OIDC flows where the govt gets to know every time you login to your bank and what IP you’re using, etc.
> You can’t have privacy if everyone uses the government as an SSO.
Why not? Anonymous cryptographic attestation methods (e.g. of only the fact that you are over 18 years old, that you are a permanent resident etc.) exist.
But you can if you live in a well functioning democratic society - remember the alternative is not no id but privatized for profit identity providers like Google and Facebook.
Well functioning democratic society is and idea that US explicitly rejects, because democratic society can point a finger at you and that doesn't feel nice.
A well functioning democratic society is one of the valid states before an autocratic regime. The Nazi party was elected.
Apart from regime changes, being a functional democratic society doesn’t protect you from technical incompetence nor does it limit the ability for people with access to the DB from abusing it.
Android and iOS now support driving licenses for seven states. They’re working on an anonymous credential library to allow you to authenticate and verify to websites, and you can use tap-to-ID with TSA. You’re right that not everyone has a DMV-issued ID but other than that, we’re pretty close to having an optional national electronic ID.
In Norway our BankID system, which is similar to what the Danes have, is owned by the banks, and is a run by a private company.
While I personally think that in principle it should be run by the government.
It works well enough, and it is imo. proof that it does not have to be run by the government.
Federal government or governmemts in general? As far as I get, driver licenses are doing in US what id cards are doing in Europe and are issued by governments too.
While a driver's license does normally fill that role, it's not mandated and not everyone has a driver's license (or even a state issued ID).
Some stuff like voting you can use something like a utility bill. Some stuff will want your birth certificate. Some stuff will want multiple types of documents.
Americans have historically been against mandated government IDs (though mostly with the concept of a federal/national ID).
This whole thread is going to motte & bailey between the various forms of US gov ID. Between the union of {SSN, birth cert, driver's license (or ID in lieu thereof)}, it seems to be there's the equivalent of a federal ID. Just, like everything else we do, a terrible incomprehensible mess to Europeans.
My employer requires an SSN when I start a job. TSA keeps alleging they're going to require Real ID any day now. Voting, if I have my jurisdiction's requirements right, requires an SSN, though most people will experience that in the form of driver's license, since getting a license is usually automatic voter registration where I've lived.
Well, what I was replying to is about who is providing the service. Whether or not the service is mandatory is a different one. I know places on the European continent where having id and registered address is mandatory, but the fine for noncomplience is about 1 EUR.
And the worst part is a federal ID would not enable tracking any more than your employers withholding wages for tax purposes and paying into Social Security does, but every time a federal ID has been proposed (which would be really useful as a way to keep SSNs from becoming something you have to disclose to everyone and their dog) it's been shut down by the "it's all a road to tyranny" crowd.
I could get a Real ID that reads "1060 W Addison St" today. All I have to do is pirate Acrobat, change the addresses on PDFs downloaded from the websites of my bank and power company, and walk into an Illinois Secretary of State office, as that's enough for the residency portion of a Real ID. They do not double-check any of this information, and I know this works because I had to edit a power bill PDF so my SO would have a second document for proof of residency. All it would take is one phone call to find out I'm the only one listed on the account, but it was never verified.
Why anyone thinks a federal ID would enable mass surveillance and tracking is beyond me. The NSA doesn't need a unified federal ID to track us, and law enforcement isn't exactly foiled by people who hold fake IDs or who have no IDs whatsoever (unless being undocumented or Amish is some magical "get out of jail free" card).
The government is already tracking things like your financial investments. Except now, they're doing it in a disconnected and sprawling way, centered around your SSN. Which is insecure.
I'm very paranoid about tracking and privacy, but the reality is that identity verification is just a necessary part of some services. Like opening a brokerage account, or riding a plane. So, if we HAVE to do it, we should have a more secure way of doing it. There's no reason we should be relying on easily-gathered 9 digit numbers.
Ironically, lax to nonexistent data privacy laws and the ubiquitous use of SSNs as globally unique identifiers are achieving exactly the outcome that the lack of government ID verification purportedly achieves.
italy has quite an interesting system[0] where multiple identity providers (authorized by the State) can be used to provide identification against the central database.
It'll probably be phased out at some point, but it's quite cool.
If it integrates with eIDAS, it doesn't necessarily have to be phased out. A very good pragmatic decision of eIDAS was recognizing that many member countries have different existing eID schemes, and federating them is easier than rolling out a new one from scratch.
it doesn't, but there is already a competing system based on the national id card, which is just simpler to explain to people ("you log in with your ID card" vs "you log in with a third party identity provider where you need to create an account"), and the people who championed the old system are no longer around.
Similar for gov't stuff here in Norway, where you can use the govt's own ID system (MinID), the common bank ID system (BankID), and a couple of commercial smart card solutions (Comfides, Buypass).
I have developed for several banks in Europe and EIDAS + other national ID based systems are the standard. Some also allow authentication with their own apps, but still having alternate options smartcard with reader or smartcard based national app.
Most seem to favour using apereo CAS for it even though it seems overkill and overly complicated (especially upgrading it, lacking documentation) most of the time.
Absolutely not! The moment you have universal state-issued identity, you will be expected to provide it for everything, including tons of stuff that doesn’t require identity. Don’t be a privacy defeatist, the fight isn’t lost yet.
Resist every single effort to make it easier for merchants and private entities to strongly identify users. The rows go into databases and they never go away.
State-issued identity is one of the fundamental building blocks of a totalitarian police state that has universal surveillance.
We have universal ID cards here in Belgium. They have a chip and along with a special card reader usb device you can log in to govt websites related to taxes, pension and basically everything else.
If you have a smartphone you can use an app to scan a QR and log in that way. It's super convenient.
Where is the privacy problem if you use this system to consult your own civil data ? Privacy is a thing in the EU and it's a complex issue mainly because of these tech behemoths that need to know your shoe size before you can use their todo list app.
> Resist every single effort to make it easier for merchants and private entities to strongly identify users
Maybe not having IDs is the reason why US doesn't have privacy protections and everybody can buy all the data anyway for 5 bucks from ad tech and telecoms.
The moment private entities can avoid spending money on auth and anti-sybil, they will simply default to using the government IdP, because auth is hard and fixing exceptions is expensive (CSRs, etc).
Then, you will simply have to provide full government ID to every business for every transaction. Instant surveillance state (given that they can access all business records).
This is not a world in which you wish to live. It is very important that you be able to transact without ID.
The way identity providers are supposed to work is to not necessarily divulge your identity, but properties necessary for the respective service. For example, they can attest that you are an adult and a citizen of $country, but don’t need to disclose any further information. When using an identity provider with a third-party service, the attested attributes are displayed to the user to approve their disclosure. This is a bit like app permissions, where you can specify which app should be able to have which permission.
But most sites will just require you to attest your full name. Additionally, they will require a unique ID that the govt might not bother changing between websites.
Real name and central ID requirements are anti privacy and have the tracking problems OP highlighted.
> Absolutely not! The moment you have universal state-issued identity, you will be expected to provide it for everything, including tons of stuff that doesn’t require identity.
Indeed this has happened in Denmark already where for example DBA (Danish version of ebay) started soft-mandating MitID verification. Soon to be actually mandatory.
At one point I was researching using the Norwegian BankID system to ensure that accounts where real people.
The pricing model didn't make that look like a reasonable choice.
While I'm not surprised an eBay like service would be fine to pay to combat fraud. For a lot of offerings, paying the cost of using such services will not be worth it.
I've lived both in countries that have state-issued IDs and in the US, and I don't have much doubt about where I've felt better protected in terms of data privacy...
I'm so sick of retail clerks who insist on scanning the barcode of my driver's license. To verify I am 21 you don't need my height, weight, eye color, and home address. You can ascertain that my visually inspecting just the first two digits of my birth year.
Do they actually compare the picture on the driver's license to your face or do they only scan the barcode? In some cases the barcode is on the backside. I've many times seen that they don't even look at the side of the card with the picture. So you can just present a suitable barcode for them to scan. "Verification" indeed...
Sounds like you may be aware, but no one should allow that to happen. When showing ID in retail situations I don't allow it to be removed from my hand.
Authentication, insofar as making sure that only signatories on the account can access it and debit/credit from it, is something you have to pay someone something to do, and not something that those in charge of the bank really understand.
If someone does breach an account, it's incredibly difficult to pin on the bank.
If you are unlikely to face a financial penalty for a failure, you don't work to avoid the failure.
I had an e-checking account broken into a few years back. Someone in Atlanta wrote themselves a check for $9k, and it didn't even come close to matching my signature. I'm in Kansas City. I have never been to Atlanta in my life, nor do I regularly do business with anyone in Atlanta. I didn't find out until the next week. It was on me to file a police report and do all of the mitigation. I was reimbursed, but I don't know how the bank came up with that money, maybe they carry insurance for this sort of thing? In order to resume use of online banking, the 1337 h4x0rz in their security department made me do a virus scan of my devices. It's still 2005 there.
There are several obvious things that they could have done - signature comparison using OCR, warnings about unusual logins, warnings about checks being written outside of the usual geographic area I do business in - that they just don't do. If it's obvious and they don't do it, it's because they aren't losing money for this.
You have to think of a Bank's threat model though.
Account compromise is one threat, but the use of valid accounts for money laundering is another. In my view the reason they "get it wrong" is because they don't want you to be able to automate transactions, as that makes money laundering easier...
Therefore, they don't want to use standard TOTP because that's easy to automate.
Requiring SMS based 2FA is harder (but not impossible, use a modem or maybe a SMS service.)
And requiring a special app is quite difficult to automate.
Also, people usually underestimate the problems of TOTP. Losing TOTP is easy. Lose your phone and it's gone. It means game over for a regular person. SMS is light years ahead in terms of ease of recovery. Even after losing your phone, you can stop by a store, activate your SIM back again with your ID. Not the case with TOTP.
Yes, some of the SMS recovery scenarios can make hackers hijack your account easily too, but cell operators have workarounds in place for that. It's getting better.
I don't even know how recovery scenarios work for passkeys.
Whether it is easy or possible is irrelevant. For the 99.7% of the world that isn't a software developer, the real-world observed use case will predominantly be the least-friction commoditized workflow. People mostly have one phone with one authenticator app, and that's what they'll use.
Syncing the TOTP credentials from a cloud account of some sort (iCloud/Google for the masses, Bitwarden or another password manager for more technical users) to the device.
As a fallback recovery mechanism, offline backup codes generated at the time the TOTP is applied to the account.
Then you make Google/iCloud the point of entry to someone's bank account. That completely changes the threat model for customers, and possibly for worse than SMS.
Offline backup codes, when printed, isn't such a bad idea. But when you lose that piece of paper, again, game over.
SMS is fantastically resilient to these scenarios. There's a reason banks insist on using it.
SMS isn't resilient to the worker at the local retail store for the phone carrier giving someone else a SIM for my phone number. That's a much bigger threat vector than Google/iCloud/a sync target I manage storing an encrypted version of the TOTP credentials.
How realistic is this threat? I would think that the employees would have to jump through hoops that require you to be present (or at least a lot more of your info to be stolen than just your name and number) and that the home network would detect a duplicate E.164 number with conflicting IMEI/IMSI numbers and locations pretty quickly.
This is more like confused deputy than collusion (though that can happen as well), but nevertheless the end result is somebody else ends up with your number, and your device gets deactivated.
If I lose my phone I can go to the office of my carrier, present my ID and receive a new SIM with the old number[0]. If Apple/Google decide what I'm not their customer anymore then I have literally zero ways to recover anything from them.
[0] and half a year later the bank would finally found out about and block the SIM 'to prevent fraud' at the most inconvenient time. But again, it's solvable with a visit to the office and an ID.
We're talking about recovery mechanisms, not day to day regular banking interactions. Ultimately, if there isn't a physical branch you can show up to easily, your access recovery time might be pretty inconvenient. This would be a good thing to consider when selecting a bank.
Online only banking is fairly popular for traditional banking services, and wildly popular when you consider money transmitters, lenders, and investment brokerages.
Whatever the problem you think they have with authentication resets -- much of the financial market seems to have solved the problem well enough without in-person resets to have successful mainstream businesses.
Yes, but remember, the original scenario was person leaving Canada, and trying to use their Canadian bank account from the US. There is nowhere to show up. But, if they could swallow SMS roaming costs temporarily, they could access to their account easily.
MFA is more than 2FA. You'll typically mandate several ways to get in, ahead of time. Whether a third logical device or printing out recovery codes. For something as important as a bank, folks will comply.
The biggest hurdle to money laundering is getting past KYC at the creation stage, which requires you to have stolen identities and/or identity documents, getting past the anti-fraud gauntlet, and probably intercepting any documents/cards that get mailed. Setting up a device farm that can receive SMS OTPs is simple by comparison. All you need as a $60 android phone and an app with SMS access.
There are ways of getting phone numbers that can be used in automation. Then there's SIM cloning, which is apparently very easy to do and very hard to defend against given how often this happens.
Because the government said so. Why did the government say so -- because the bank is the only place that can see your transactions and has a profile on you and has a dedicated person to call you and ask about that cash withdrawal on the Turkish side of the Syrian border or regular cash deposits of 100k each week in addition to your cop salary.
Alternatively you can just not do anything with money laundering and all that or let the government do the monitoring itself.
HSBC determined its retail banking operations in NA were not worth it any longer due to the liability they faced after their high-profile money laundering scandal [0].
Because look at what happens when the government thinks you don't care enough about money laundering. TD Bank recently got hit with a $3 billion fine.
> More than 90% of transactions went unmonitored between January 2018 to April 2024, which “enabled three money laundering networks to collectively transfer more than $670 million through TD Bank accounts,” according to a legal filing.
This blog post exposes the badness of SMS-based recovery. I think other recovery options such as Yubikey aren't ideal either, as a Yubikey may simply stop working and you're completely locked out. The specific situation the author of the blog post isn't dramatic - he can't receive SMS - personal decision to avoid roaming charges.
But in all seriousness, if there's an authentication recovery standard, it should serve all people including those who are in seriously difficult circumstances (e.g. homeless or ill). The question then is what should recovery look like in those cases.
To me it looks like good old recovery code on paper is the best solution, as it doesn't depend on ever-changing device ports, or hardware malfunction due to lack of use long-term (such as 10-15 years).
I wonder whether authentication apps nowdays address that aspect and make and I kinda doubt so (i.e. can you print out a QR code with all account information in your typical TOTP app?).
UBS Switzerland has a decent system. When I first opened the account 15 years ago we had a number pad of codes on paper we entered as the authentication. Then later we got a credit card sized electronic device where we enter a passcode and it gives us a one-time code to enter to login. And now we have an Access app - we go to the website, enter our contract number, point our phone at a QR code on the webpage and authenticate on the app, and the desktop browser logs us in. The access app also is used for logging in with the mobile banking app. It never relied on sms.
Super simple but probably costs some money to develop.
think its a Europe thing, we have the same solution in Denmark. Chip and Pin has been in Europe forever I don't think the US has moved to this yet (although happy to be wrong) and also believe they still like those bouncy checks that has sort of died elsewhere.
UK Banks like Barclays also had the small electronic credit card sized device from around 2011 or so (and now use the Mobile app for that), but other UK banks like Halifax are still doing passwords (they even have a limit of 18 chars) and just ask you for random characters of memorable words, so there's a big inconsistency even within a single country.
> TOTP Support: Let users use any standard authenticator
How many of them allow to generate a code related to specific operation (provide a context for what is being "confirmed")? This is the EU requirement that killed everything but SMS and bank mobile apps.
And I love that requirement. I do banking on my desktop and to confirm the transfers I get a push notification from a third-party application (ItsMe, so not a banking mobile app) with all the information I have entered.
I can confirm the transaction from a complete separate device while doing a second check if all details are correct.
The requirement per se is not the biggest problem. Implementation by different banks is. In my country I have several bank accounts.
One bank allows me to install mobile app on up to 5 smartphones, all I need is connect the smartphone to the Internet (e.g. through Wi-Fi).
Another bank allows me to have up to 3 smartphones, but identifies them by phone number, so it forces me to have 3 difrerent SIM cards
Yet another bank will only allow me to have mobile app only on one device. To activate on another device I need to receive SMS code, and if I lose my SIM card I need to show up at a branch in person.
Although to be fair this EU requirement tends in practice to make things yet still more cumbersome - requiring multiple authentications in one online banking session.
This past weekend I was struggling to teach my 97-year old neighbor how to login to his RBC Bank account. It was an 11 step process!!! The state of technology in the Canadian banking system is abysmal.
Combine that with our cell providers, and it's a real problem. There's some cell providers like Public Mobile where you can't even opt into roaming. So SMS 2FA is never an option. [1]
Also to pay taxes, you have to type "CRA" into your bank's "Add Payee" searchbox and hope you pick the right result out of 5 different options that all have CRA in the title.
It's mind-boggling that this is the solution we've settled on.
> I don’t think anyone considers a bank account “low-risk.” Yet here we are, still relying on SMS as the default, and sometimes only, 2FA option
> Passkeys (FIDO2/WebAuthn): Phishing-resistant, device-based login using biometrics. Excellent UX and security.
In response to the complaints about SMS MFA, yeah, it has its issues (we don't even support it in our auth software) but it's not totally indefensible. It makes it much, much easier to push MFA.
When I talk to end users about auth flows, they almost invariably complain about MFA. People hate MFA. They will avoid it if they can. With that in mind, while SMS 2FA has problems, we should recognize that it's minimally disruptive to users. It's familiar. People understand how it works. In this sense, it has major advantages over alternatives.
People really don't understand passkeys. I even meet professional software developers fairly often who -- at least to their knowledge -- have never used passkeys. It will take a very long time before this is well-understood by the average consumer.
Lots of people complain about TOTPs too. Downloading authenticator apps sucks and is confusing to many people. Even sending codes to people's email addresses causes problems; many people have several email addresses for which they forget passwords routinely. By contrast, mostly everyone has no problem opening a text message on their phone (which is pretty much always within reach).
We can't design software for the way we hope users will behave (e.g., telling people just use a password manager). Especially if you're making mass market consumer software, you really have to meet people where they are.
Passkey UX is absolutely terrible. It's unclear what is happening, what is being stored where (do you have my passkey? do I? is it in my browser? is it on my phone?), how communication is happening between devices, etc. Also nobody seems to explain what exactly a passkey is. Where's the thing I can point at and say "that's your passkey"?
I didn't understand it either, but on the "Security Now" podcast Steve said it's basically like using a FIDO2 key but virtualized in software. As I've used a yubikey and understand public/private keys (with ssh) I now have a vague idea.
As the sibiling comment alludes, FLOSS projects have been threatened for allowing (part of?) the key to be exported!
I. don't. care. Because we have to cater to the absolute lowest denominator, I now can't use my credit card 90% of the time because I can't receive SMS when I'm traveling aboard? No, not everyone has a fking iPhone and iMessage. Nothing in your comment serves as a defense of most places only having SMS 2FA. Why can Capital One email me every critical account notification, but can't email me 2FA/OTP codes for confirming transactions when I'm on the other side of the world? Why?
It is flatly absurd that my Xbox account can be more secure than most of my bank accounts. I am tired of hearing people justify the utter laziness of US financial institutions. Everything about dealing with money in the US has become increasingly incredibly user hostile. Fidelity won't allow ANY integration with apps like Lunch Money and have some impressive automation detection that blocks headless Chrome usage better than anyone else. I'm completely at their mercy, and cannot sanely manage my money because of them. It's complete god damn garbage.
> No, not everyone has a fking iPhone and iMessage.
I don't think iMessage solves the problem of receiving an SMS from your bank where your SIM card is inactive or disabled due to roaming costs.
A VOIP number like Google Voice can solve that problem, but some services that do SMS-based verification reject phone numbers that a database says are VOIP.
You need to switch to a carrier that allows international roaming, preferably at no cost. A lot of the budget carriers like Mint don't. Those carriers are really really good, like truly 99% of the way there, but for very specific use-cases they have problems.
There are a lot of people who get confused using the SMS code they received, let alone setting up passkeys, or TOTP and backing up their codes, and so on. The systems are designed for those people, not you. Even offering passkeys or TOTP as an option is a customer support liability, that's another thing agents need to support when someone nontechnical inevitably enabled this on accident or has a family member set it up for them.
> Think of the person from your grade school classes who had the most difficulty at everything. The U.S. expects banks to service people much, much less intelligent than them. Some customers do not understand why a $45 charge and a $32 charge would overdraw an account with $70 in it. [...] This customer calls the bank much more frequently than you do.
The main reason banks adopt in-app TOTP is that most third-party TOTP apps historically didn’t offer cloud backups. And some third-party TOTP apps could leak the tokens because the banks don't own their code.
When users accidentally deleted these apps or switched devices, they often lost access to their TOTP tokens, leading to a flood of support requests. Banks tried to "fix" that by integrating TOTP directly into their own apps.
This allows bank a sort of token persistence (and user tracking, and being able to send push notifications, wanted or not).
So an interesting trick I learned while suffering from the same issue is that roaming usually only applies to outbound data / SMS usage. So when I travel I disable data usage, and set my travel sim to be active and primary, but I can still receive SMS for free.
> Even worse, these apps often become excuses, a reason to avoid implementing the open, interoperable standards that actually make a difference.
Even worse, under the hood, some of these apps use the TOTP standard. The entire extra premise is that the seed is not extractable and cannot be backed up.
I remember my brother having a printed list of one-time-codes. I wonder why this is not mentioned? Not everyone wants to have their phone a single-point-of-failure. For me - breaking screen in my phone rendered my banking unavailable for me, which posed additional problem on how to pay for the screen replacement, not speaking about buying food etc.
The friction of changing bank accounts is high, and few people choose their bank accounts based on how easy the online authentication is. Unless a bank does this meaningfully much worse than their competitors (low bar) they have little incentive to fix it.
If you think TD is bad, try some European countries where there's only a handful of banks...
According to https://2fa.directory/us/#banking there are 3 banks in the US that support hardware 2FA (without limitations like requiring a Symantec token or only being available to "high risk" clients): BofA, Morgan Stanley, and Mercury.
Of these three, Mercury isn't really a bank, it's a non-bank financial institution (and as the bankruptcy of Synapse shows, putting your money into these services can be risky), Morgan Stanley has zero locations within a 1 hour drive (important for when I need cashiers checks or need to deposit checks that mobile apps can't handle), and BofA's interest rates are laughable.
There's no FDIC-insured bank which has decent savings accounts, physical branches near me, and supports proper hardware 2FA. The best I can get is savings, location, and (the bank's app-based) software 2FA.
There truly is no incentive for the banks to improve, and I don't think anything will unless congress forces their hands (which seems unlikely, given that the average person has never suffered an SMS 2FA-based attack on their finances and thus has no reason to write to congress about it).
Canadian banks are just horribly, terrifyingly stuck in the past for their security. For many years there was at least one Canadian bank where your online banking password was your phone password. So it had to be exactly 6 characters, and you could just as easily type in the word, or even the T-9 numbers related to them. The bank when I gave them this feedback didn't seem to understand why that was so terrible and just said, "Your money's covered if your account is hacked."
Part of the reason I have the cellphone plan I do, despite knowing I'll get an esim any time I travel is so I have the option to get SMS 2FA while traveling if I need to access something.
As a european I again find it crazy what kinds of insecure stuff the banking industry in the US does. Chip+PIN arrived long after they did here, SMS Tan is still a thing while EU Payment Services Directive 2 (PSD2) forbid this in 2018, 7 years ago.
Many transactions are still authenticated via signatures on paper cheques, you can use your credit card without a second factor (also regulated by PSD2).
I just can't understand why they continue doing this, when I'd assume fixing this would cost less than what fraud must be costing them today.
In the case of credit card payments this is true, but for checks and other P2P payments, there is no merchant to pass on costs to.
For these, it's usually the banks absorbing the losses themselves (or their customers, if they aren't legally required to, but in many cases they are).
Check fraud is a relatively small percentage of all fraud.
It's also pretty much a solved problem, it's expensive to cash a check anywhere but into a checking account in your name. If you write too many bad checks or try to deposit them you'll get banned from... the entire banking sector.
This is not universally a problem. In switzerland you receive a letter with a qr code, which with your username/password can activate a app which does a 2nd factor authentication, but it also requres to scan an qr code from thd web every time you login.
Setting it up is a pain, also it‘s impossible to transfer to another device without the original barcode.
But it seems pretty convinient for me an very secure. Login with account-id and password, scan a qr-code with the app and verify the login in it.
The problem with the suggestions here is that it puts all your eggs in the same basket. 1Password TOTP? If both your password and the TOTP are in your password manager, you arguably really just have a single factor, delegated to a third party (your password manager). PassKeys? Same problem. Storing your recovery keys in your password manager? You again just have 1 factor.
SMS is bad and should go away, but it isn't so clear what the replacement needs to be for most people.
If you use a password manager, you might not be part of the target group that benefits most from a second factor.
A decent password manager nudges you into using unique passwords per service. Good password managers also offer you a browser extension, which injects the password directly into the DOM instead of using the clipboard, and checks the domain, too. It's not 100% secure, but at that point, 2FA may be a diminishing return already.
There’s an additional dimension to this: the elderly are hopelessly confused by 2FA and how inconsistently it’s used or applied. 3D Secure auto has pretty much blocked my parents from making online purchases, and I spent a frustrating hour on the phone the other evening just talking them through a failed attempt to the find right authenticator app their bank in the Play Store in a sea of spoofs.
As far as I can tell, the reason why any given login is needlessly complex is that some product manager somewhere has outdated info in their head that says stuff like "passwords need 4 different character classes" and "everybody uses SMS for 2FA, we need to use that". Powerless devs then mindlessly implement what they're asked to implement.
Powerless, that's exactly it. I pushed back when asked to implement email-based "2FA" on a website account (nothing like as important as a bank though). I pointed out that the username is the email address, and password recovery works by emailing a reset link, therefore emailing a login code wouldn't be two-factor, it would be the same factor. Of course the response was: doesn't matter, the client's asked for it. I didn't have the authority to push back any more, but luckily in this case it was just a simple website login that had no real need for 2FA anyway.
Are you me? I am an SE in a bank and I had this exact experience this week - though it relates to authing with the online banking system.
As I see it, it's an unfortunate combination of an extremely risk-averse environment, a total lack of trust in their IT staff, and - if I can be pointed - unqualified product teams. I can explain the the inadvertent drop from 2FA to 1FA, I can back it up with NIST, OWASP and Gov references explaining why it's a bad idea, but I am simply ignored because they are bent on execution of their 'vision'. At this point, I raise my concerns just to have my biases confirmed.
It's really frustrating and obviously as a banking customer I want sensible security features too, but if I can generalise, we devs are not driving the bus. We're stuffed in the luggage compartment, wheeled out as necessary.
Here in South Africa all the banks I know of moved away from SMS text messages for 2FA ages ago, and perform authentication in-app with biometrics instead. Having a banking app installed on your phone is pretty much mandatory, and criminals have no doubt grown wise to this fact. So what happens when someone holds a gun to your head and forces you to perform a large transfer of funds from your phone? I'm sure the banks will try convince you that their fraud detection systems will come to your aid.
One bank here recently introduced a duress-PIN, which when entered, will commence monitoring and send help, but they still don't offer any guarantee of a refund. Another bank allows you to change their app's icon and name, in an effort to masquerade as something less recognisable.
I'd much rather delete the apps, unlink my devices from my bank accounts and use a TOTP authenticator app instead.
> If a system breaks in common scenarios, like international travel, it’s not a secure system. It’s a hostile one.
I have spent many hours on the phone over the last few days fighting tooth and nail to get my savings back to my account with British bank A from British bank B (just recently bought by A, as it happens) in small chunks because reasons.
I have explicitly raised the point "if this punishes the innocent so hard in a simple legit case like this, wasting hours of everyone's time, is it actually working?"
In response to the first of three (!) complaints that I have filed during this trauma, the bank conceded on all the points and awarded me a significant compensation sum ... which I may never be able to get at!
Plus people possibly from the bank keep trying to call me and ask me to prove who I am with data that would let a phisher into my accounts, and are effectively unreachable if I try to contact them through a safe route... Including the fraud and complaints people... Duh.
I work on the CMS side of banking, where promotions and current rates are posted regularly. All actual banking is done through a first-party link to external systems. The amount of scrutiny and regular application scanning for vulnerabilities that is done on the CMS software I've built drives me insane, considering the glaring holes in security that affect their systems that actually deal with money. I take security seriously, and it's one of the main selling points of the software I build, but knowing how poorly made these systems are that house what a malicious user actually wants makes me understand how much of society's systems play security theater.
Vanguard on Web supports Passkeys for 2fa, but the iOS app seems to only support text-sms 2fa.
Robinhood supports passkey login on iOS app but doesn’t seem to require it for 2fa, email+password succeeds with no further prompts. But on Web it doesn’t support passkey at all, and email+password requires you to confirm auth via an in-app notification.
Both Robinhood and Vanguard support FaceID biometric auth for their apps.
All I want is passkey auth everywhere and/or email+password with options for passkey and TOTP for 2fa.
In the US, I am seeing biometric authentication, and/or 2fa on mobile apps for financial institutions. The issue is that these same institutions are still running their websites that have the same security that was around in the early 2000's. You can take advantage of the mobile application and get better security, but you're still a target to someone that just accesses the website.
> The implementation of 3D Secure (3DS) primarily shifts the responsibility of transaction authentication to the customer. This approach is more about addressing legal and liability concerns than it is about enhancing security measures.
OP's problem sounds like failure to plan. If you are going to suspend your cell plan, you should probably check your authenticator works or have a backup option before you travel to another country.
I don't know what the viable alternative is. Passkeys have just as many issues when phones are stolen, lost or broken. You cannot expect consumers to store recovery codes. I do agree support of TOTP authenticators would help savvy consumers, but probably still too complicated for seniors etc. Watching my elderly relatives with poor vision enter a TOTP code was quite instructive. The UI of Google Authenticator made no sense to them and they didn't understand why it kept changing and getting rejected. They were barely able to enter six numbers in a 30 second window.
A viable alternative is to offer multiple 2FA options, one of which should be RFC 6238 TOTP. The author would have probably planned ahead by selecting that rather than a proprietary app or SMS.
One thing I like about the Aegis authenticator app is the clear way it changes colors and even flashes to indicate a code is getting ready to change, so it is less common that you might start copying digits, glance away, and then finish copying digits from a different code.
But, I think it would still be a challenge for many elderly for other reasons.
I know this was sarcasm, but bank card is not appropriate because you should have one hardware key for all services produced by an independent provider.
I think your threat model is bad — the isolation of accounts offers little and most people have effectively only the security of their email provider anyway.
That said, buying several keys would be a natural and happy path solution for the paranoid. Make sure to get three for each account (same as primary) as either you need a backup or the extra key offers no extra security.
Your bank/credit/debit/etc. card is a “physical token with a crypto key that is protected by a password and tied to one's bank account”. FIDO and EMV even both use the same underlying ISO/IEC 7816 and 14443 protocols for communications.
Some of us don't want to have a dozen plus separate physical tokens (one for each of bank/credit card/tax, etc sites with sensitive financial information we have).
Hardware tokens are a PITA. Sure everyone has a house key because they only have a house at a time. I have 3 bank accounts, a few brokerage accounts, some pension logins on top of the regular stuff. I'm not going to carry 15 hardware tokens with me.
I swear this is true: my old bank (Allianz) introduced a two factor authentication where they would show me a code upon login, then I HAD TO CALL THEM, go through a menu and punch in the code. I changed bank a couple months later.
Only tangentially related but I'm a Canadian but have been on a US Cell provider (AT&T) for over a decade now because its cheaper, especially when I used to spend a lot more time roaming in the US. The number of Canadian companies that fail silently when sending SMS to US numbers is too damn high.
My bank is one of those with Verified by Visa. Thankfully I've figured out that using the Voice option instead of Text will work but still that silent failure is really annoying.
Very few organisations get international use cases right. Want to load that public transport app for the city you’re spending three months in? Sorry, only available if your phone is tied to the local App Store. Use an international number as your primary contact number? No chance. &etc &etc
> A modern authentication flow in 2025 should be built around strong, user-friendly, standards-based mechanisms:
> Passkeys (FIDO2/WebAuthn): Phishing-resistant, device-based login using biometrics.
Maybe I'm missing something, but I heard that using biometrics for authentication was found bad some years ago and other ways for that were required?
The reason it's a farce is because most banks are using some off the shelf system from one of the big vendors in the space OR legacy systems, or both. FIS is a good example.
They have basically no real motive to improve anything (the lock in is utterly extreme) and no doubt will charge through the eyeballs for any improvements - especially ones that are regulatory related.
You can see the difference between a legacy bank and some of the neobanks in the UK. It's absolutely night and day when they own their own modern tech stack.
> using some off the shelf system from one of the big vendors
This also gives the bank 'cover' should an exploit be uncovered in "big vendors" system. They (the bank) are safe liability wise (or at least they think they are) because they used "approved vendor Y" for their authentication system.
If they created their own system, then they would be unable to offload the liability onto someone else.
> If they created their own system, then they would be unable to offload the liability onto someone else.
In a sense. The big banks in the US created Zelle with one of the specific outcomes being to offload liability for unauthorized transactions more on to the consumer than themselves.
If you store them in a password manager it is pretty nice, but if not it can be pretty cumbersome, especially if using browsers with multiple profiles.
Pretty much the same thing with Chase. I had to access my account while overseas and had a somewhat similar story.
The mobile app doesn't require a second factor, so I was able to log in there, but I couldn't transfer funds or something on mobile, and buried in a deep section of the settings I found a way to get the OTP via email.
Really disturbing the banks still haven't secured this.
I think all the banks that I used for the last five years (from three different European countries) use the mobile app itself as a generator of security credentials. The app itself is pin protected.
Recovery paths vary -- from sms and hardware code generator (funny terminal to slot bank card into) to government-managed PKI or id carda.
I think only one of them is still using sms as a fallback for normal transaction confirmations.
They should all be shamed continually until they adopt the common sense ideas in the article.
Sadly I have to conclude from evidence that these incompetent buffoons think you can compute “how secure our site is” by asking “is it a f*cking pain in the ass for everyone to log in, almost all the time?” If yes, then secure.
Bonus points for “is it impossible to log in when you don’t have your cell phone that you registered with us?”
Still not sure about Passkeys. Or biometrics. But agree that their SMS based systems are way outdated. Which is odd because, at least at the Canadian banks, the mobile and web experiences are generally pretty modern and good.
It’s almost like the various departments and make these systems don’t talk to each other.
We had SMS-auth in Norway until 15 years ago (?), then it was a special type of SMS popping all over your screen that was more secure. Now all that is gone and replaced with Apps for auth, with scanning of your Passport/NationalID using NFC + SMS the first time.
Banks are always facing a trade-off between security and regulatory accessibility requirements. A former employer offered ~10 different ways to perform step-up authentication for high risk activities to avoid getting slapped with fines.
Then again "regulatory accessibility" has little to do with usability. You can have an 11 step process which works with a screen reader and is still hell.
Big corporations don’t fix anything unless it bleeds cash in an obvious way. Their siloed departments border on self-sabotage, and they only wake up when shareholders start shouting about lost profits—then they stall anyway.
i worked on a large platform (YC company, too!) previously on their 2FA implementation. while not ideal, it was decided to keep SMS 2FA because there are still people out there without smart phones or in general the ability to do TOTP. but they still have some means to access the site that wasn't a smartphone i guess.
so, it's a bit of a compatibility issue, i guess there will be some portion of the population who will be very upset that they need to buy a whole new smartphone just to securely access their banking details
Anything that requires a cellphone bakes in BOTH a single point of failure and cumbersome extra steps. Terrible practice anyway - even though so many people here are in love with both single points of failure and extra steps.
ALLOWING methods X, Y or Z would be better reasoning.
Wells Fargo offers RSA hardware tokens if you know how to ask for them:-)
Schwab offers a Symantec hardware token
Vangaurd allows the use of a FIDO device (YubiKey)
How about one that accepts any length on create but truncates it in the DB so your password manager saves the long one you typed in when it’s actually cut off at 12 chars? Had that one recently.
Some banks do it properly. For example, my local credit union does Google Authenticator (actually TOTP, but they call it Google Authenticator). I use it with Authy on F-Droid.
Best thing that ever happened in this bleak security world is Google Authenticator. I haven’t used that app itself in years, preferring others, but the existence of it and it being non-proprietary, has done a lot to bring over the moderately-security-competent companies to thinking “hey, I guess we should support this.” Obviously that group excludes every American bank, every power utility, etc. They all want to email or text me a freaking code at each login for some reason.
Why is there no standardized e-ID in the US? How much money is wasted by different authorities and businesses having to reinvent the same wheel over and over? I have used the same auth for doing my taxes or checking my prescriptions or signing into my bank for 20 years.
From my experience in the US, UK (see https://en.wikipedia.org/wiki/NO2ID ) and Canada there is a cultural aversion to government ID. I believe it's the same in Aus and NZ, so it may be an Anglophone thing.
The current US administration is known for illegally deporting permanent residents and has stated intent to deport natural-born citizens. It should be self-evident why a centralized ID system under the control of the executive branch is a terrible idea.
Because without thoroughly-enshrined protections for identities, an e-ID system provides an avenue for the government to effectively de-person undesirables at will, by removing their ability to use banks, sign contracts, access healthcare, etc.
US government is deporting undesirables at will right now without any of that. On the other side of the world, where id is mandatory and e-id is used for everything that makes sense, the city hall gives free heroin injections to addicts as a last resort therapy and provides for illegal/undocumented homeless people so they don't shit on the street.
Neither of those prevents somebody from stealing bicycles zo.
Broadly speaking: because they don't have to get it right.
Banks are generally protected from fraud not by up-front security, but by auditing. If someone mis-applies funds, they have a chain of transactions they can back out. And, if someone does it maliciously, they have a disproportionate support of the force of law to discourage such behavior.
Contrast most software companies, where theft of data is not a reversible issue, so they are heavily incentivized to make it technically infeasible.
While not wrong it will big a big hasstle for whoever is the fraud victum while things are reversed. You may even lose other things in your life because you are unable to pay bills you technically have the money for but cannot access the money.
This is all true and, most notably, not the bank's immediate concern.
The financial sector has sheltered itself / been sheltered from the immediate consequences of fraud perpetrated upon it regarding its customers. The customers catch most of the consequences in terms of opportunity costs and some of the bookkeeping labor.
(... in the large, of course, too much fraud runs the bank out of customers and then the bank suffers. But that has to be a lot of fraud, and that's where the governmental big stick that the banks and other financial operators get to wield by proxy come back into play. Try to steal $100 via credit card fraud and you probably get away with it [once], with the cost being borne by a credit card company having to write off couch-cushion money and an individual consumer being heinously inconvenienced in having to rotate all their auto-deduction numbers. Try to steal $1,000,000? The FBI has some questions, friend, if you'd be willing to come with these nice men down to the branch office).
None of the recommended alternatives show what you are authenticating for.
The proprietary auth solution as well as SMS will show "To authorize a transaction of $12,345.67 to account ..., enter code 123456". SMS isn't secure because there are various ways for the attacker to get the code aside from phishing.
The apps are a royal pain for the user, but they enable this flow, and they are secure for the bank.
The bank has limited incentive to make the user happy, but a lot of incentive to a) minimize fraud, b) be able to blame the user for the remaining fraud.
That's why you will keep getting shitty, user-hostile authentication apps, and that's why banks will keep losing some (but probably not enough to make them care) customers to neobanks that are prioritizing user experience. And why neobanks will enshittify once they are no longer willing to buy adoption by accepting more fraud.
My apartment wanted to use some 3rd party service to do ACH transfers for my rent. I just wanted to type in my bank's routing number and account number but this 3rd party service only worked if you gave it your bank username/password. I was like NOPE! And sent them a paper check. My guess is they had some permission from the bank to also suck down all your transaction history.
I'm too lazy to look up the service but it's a famous/popular service along the order or plaid or something
This happened to me when I was overseas recently. No phone, I needed to access my credit card website with Scotiabank. I had previously relied on having an option for the OTP to be delivered either by email or sms, but when I tried in March, Scotiabank had removed the email option! I ended up having to basically remove 2FA from my bank account as a workaround, after answering a ton of security questions.
Therefore for the entire time I was overseas after having done this, my bank account had no 2FA enabled... smh
Surely it couldn't be as bad as an unnamed Queensland (Australia) bank that did client side authentication by looking up the username and password if one giant
if username == "user1" && password == "password1"
return true;
else if username == "user2" && password == "password2"
return true;
else if ...
Me? As in, I've literally changed banks and canceled cards over this.
I can't get SMS when I'm traveling which is 95% of my time. It's such an entirely ignorant US-centric view to assume that everyone has a phone, has SMS plans, has cell service at all, etc.
I don't care how many times I am violently buried on this site for mentioning the word -- but cryptocurrency makes traditional banking obsolete. Or should have.
After almost two decades my guess is we can start to look back at the whole cryptocurrency thing a bit more clearly.
> but cryptocurrency makes traditional banking obsolete.
Most banks we interact with were obsolete before crypto.
When working there I had a lot of "why" questions until someone explained me "You need to think about banks basically as an extension of the state".
From a tech POV it is exactly what we usually hear: there is a ~50 year old legacy core banking system that nobody really understand but keep working almost miraculously. Everything else beyond that is trash.
Cryptocurrencies pop up in a weird way and obliviously did not delivered since.
In 2025, it is still hard and costly to transact on Bitcoin or Ethereum. If it wasn't govs would have unleashed the fury on crypto.
> Or should have.
Yes our banking system is failing society and preventing progress since at least 2008.
Crypto was our chance to move beyond but it didn't happen. Bitcoin price is probably just reflect the fact that our banking system is at risk of collapsing any time soon and crypto might be (part of) the solution.
> I don't care how many times I am violently buried on this site for mentioning the word
Yes crypto shouldn't be taboo on HN. It is a potential solution for what most people need urgently (more than AI) so it should be discussed.
Since we're on the topic of authentication, how about the fact that they are not recoverable? You cannot reset a password on the blockchain, nor can you call the blockchain and prove you are the rightful owner of any inaccessible/stolen funds, nor can you take the blockchain to court to return your funds. You are SOL.
Just about any service that banks do are great examples of other things that math itself cannot do for you. These are all reasons that people still overwhelmingly use banks.
Banks do work to integrate with other societal systems in meatspace, build infrastructure, manage exceptions, comply with legal expectations, provide service, build and maintain partnerships, etc. Cryptographic ledgers don't do any of this, they are inanimate.
Hm. There are some things that banks do then that math can't do. But advanced cryptocurrencies have smart contracts that allow DeFi systems to handle many typical banking functions.
The primary things that people use them for, to store money or sometimes distribute it, or act as a system of record, have been made obsolete though.
Anybody that has the misfortune of working within a financial institution should know these folks are way behind the times.
They will hire contractors from the bottom of the barrel, claim "rEgUlAtIoNs sToP uS", load up on middle management —- thinking they will ~~whip~~ manage those bottom dollar contractors into performing like well paid folks —- then decry about asinine shit (mUsT rETurN to oFfIcE for cUlTtuRe!!11) and shift blame when the initiative(s) fall flat and projects are behind by _years_.
This rinses and repeats for a few years, maybe they get a half ass implementation out to meet minimum spec for MFA. Maybe they spend millions in consultants and contractors before it gets off the ground.
I don’t think banks are deliberately trying to avoid using TOTP, it’s just that they have to cater to the lowest common denominator, you know, the kind for which anything computer-related is basically black magic.
SMS is an easy target because ~everyone has a cell phone and with things like Apple’s verification code auto-complete, the amount of friction is greatly reduced.
With standard TOTP, now they have to worry about if the user correctly added the secret information to whatever authenticator app. And write corresponding documentation explaining how to do so, for every major authenticator app.
There also has to be a backup flow for when the user loses their authenticator app which is probably just going to be SMS. So why not stick with just SMS in the first place?
I hate using SMS for 2FA, but I understand the business decisions around it. I think as engineers we forget, to be frank, just how bad most people are with technology.
This is no excuse for not offering it. And no, SMS must NOT be a backup that’s always available, as the article points out, its availability for use is a security hole.
If you can’t access your actual 2FA there should be an option for the bank to have it call that registered number and ask you “Hey this is (Bank). Are you trying to log in right now from Moscow on a Windows 10 PC using Firefox? If so, please call the number on the back of your card, hit 9, put in your SSN, then we’ll turn off 2FA for one login and let you add a new one. Btw if it is not you, your password is definitely compromised.”
Since we're talking about a legacy bank here, going to a branch and proving your identity is an option.
Worst case, you could always call and speak to a human who will do whatever verification they do if you forgot your password, which is functionally equivalent.
> “Hey this is (Bank). Are you trying to log in right now from Moscow on a Windows 10 PC using Firefox? If so, please call the number on the back of your card, hit 9, put in your SSN, then we’ll turn off 2FA for one login and let you add a new one. Btw if it is not you, your password is definitely compromised.”
Stop, do not pass Go, do not collect $200. Having someone call and ask for your SSN is a non-starter.
And in what world is SMS not available but being able to call that same phone is?
> Having someone call and ask for your SSN is a non-starter.
That's not what he said. This hypothetical robocall would simply instruct you to call a different (known good, printed on your card) number to authenticate, at which point you know who's on the line.
> And in what world is SMS not available but being able to call that same phone is?
It's a good point about the robocall notification itself, but I imagine this kind of system wouldn't even need that to work in order to function. What actually unlocks your account is calling the bank's system and inputting your SSN; you could preemptively do it from another phone if you know you lost your 2FA codes and are trying to log in.
This person's idea would replace your phone number being your authentication with your phone number simply being used for a notification, shifting the actual authentication to something the bank already knows but that someone who stole your credit card (and maybe your phone along with it) wouldn't inherently have. I got a bad whiff from it at first, but after thinking about it a little more, I think it's a good idea.
That's not what I'm talking about. I'm talking about the act of adding the secret to the authenticator app in the first place. There needs to be documentation to the effect of "open Google Authenticator, and if you don't have it, download it on the App Store or Google Play store. Open the app and choose 'new secret', ...". Probably also put in a QR code and link for good measure. Rinse and repeat for all the major authenticator apps. THEN you can have them verify.
It adds up to a decent amount of supporting documentation that the bank is responsible for providing.
Outside of services like Github where the average user is expected to know what an RFC is, I usually just see Google Authenticator supported and no mention of the fact that alternatives exist. That seems like an adequate solution.
It's not just authentication that they get wrong. On several websites (non banks) I can get my entire history, all my logins, all my transactions, since I created my accounts: all the way back to, say, 2013... No problem.
But banking websites only allow to go a few years back. But now with the KYC/AML madness where every real-estate agent, notary, etc. is forced to snitch for the intrusive government, they ask for "proofs of the source of funds" for things that can go back many, many, many years.
"I sold an appartment I bought in 2013"
"Source of funds you used to buy the apartment in 2013 please"
And you're sorry out of luck with traditional banks.
My banks then typically charge 25 EUR per month, per account, to get past history. So say you have 3 accounts, that's 900 EUR per year for your history.
And to add insult to injury, it's all dog slow of course.
Back in the days it wasn't like that: it didn't feel like the Gestapo was watching your every move and asking honest citizens proofs of everything. So I didn't know that for my private account I had to carefully save every single wire transfer for it may be needed 15 years in the future.
Just screw that entire system. Fuck it.
P.S: my mom still have one banking website where geniuses decided that a PIN had to be entered by using the mouse to click on digits that are randomly placed on the screen. Major french bank. In 2025.
Also, they still expect you to authenticate when they phone you. No, I'm not going to tell you my birthday when you phone me. No wonder so many people get scammed, when banks are training people on how to get scammed.
Recently had to call Discover because of unauthorized use of card, apparently to buy Facebook ads of all things. They didn't call me, just locked my account and said I had to call them. I couldn't even pay the balance until I did.
Anyway they needed to verify my identity, so they ask me for some info from the back of the card and a phone number that they can send the OTP to. I give them a phone number, it's not even the one on the account, they send the text to it. The text message says that the bank will NEVER ask for the code over the phone. They ask for the code, I give it to them, identity verified.
> and a phone number that they can send the OTP to. I give them a phone number, it's not even the one on the account, they send the text to it.
This regularly blows my mind.
Presumably it’s some data broker or phone carrier integration, because for me, the answer is usually “sorry, we can’t verify that number, is this a postpaid contract in your name?”
No, it’s not. Oh, that’s a requirement for doing business with you? In that case, I won’t.
People get new phones and new phone numbers. Frequently, compared to landline days. The alternative is to be permanently locked out of everything if you get a new phone number.
Well, I’m not doing business with a company that trusts any random phone carrier’s identity assertion more than me in determining what is and isn’t my phone number, so I guess it works out nicely.
And if a company can’t be bothered to have a fallback verification flow in case I do lose access to my phone number somehow, that doesn’t increase confidence either. I’m a person, not a phone number.
So, if I may ask, do you have a smartphone? What kind and who is your carrier? It seems to me your stance would preclude owning a smartphone?
I do, but that doesn't mean I need to participate in ridiculous forms of authentication.
The parent's gripe is presumably about many bad SMS-based 2FA implementations banning non-post-paid numbers from use.
E.g. Blizzard (assuming they still do this)
If they want to be aggressive about fraudulent activity, fine, but don't restrict perfectly valid phone numbers from being used in their required 2FA scheme.
Wells Fargo too. Every other banking institution says never to give an OTP to someone on the phone, but that's exactly how WF verifies you when you call them. The only thing is that they do text the number already on file with them, not a number you give them on the fly, but that's only microscopically more secure.
Background check for a new employer resulted in me getting an email to my personal account:
"Hi, I'm XYZ from XYZ background checks, I'm conducting your pre-employment check, and I just want to confirm that your full name is V, your DOB is W, your place of birth is X, your address is Y and your full SSN is Z...
... and that this is the correct email address for you. Please confirm."
Holy hell. Thankfully I reached out to the employer about this (and the background check company's attempt to reach out to my partner on Facebook for ... something? This wasn't a security check, just a regular employment background) and they were as horrified as me, apologized, and fired their background check provider.
Hah, my employer in Sweden recently started using one of these security training companies. They send you emails with some online courses you're supposed to do and then send occasionally phishing attempts etc. and when you fall for one they send you an email what you did wrong.
Out of interest I clicked on the link in one of their "phishing" emails and I was redirected to a link where they essentially told me "never click on links in emails, you never know where they lead to". One week later I get an email "please click on this link to complete the second part of your course". Obviously I never completed their course, they told me never to click on links.
What's even worse is that they don't even use their own domain for the courses, but some random looking domain.
I'm a software dev. When I get phising mails I often click the links to check out what the scam is. I open in a separate browser I don't usually use, so there isn't anything in it for the phising site to gobble up. And yeah I trust that the browser sandbox I good enough, that no one is going to waste a zero day exploit on me in order to break it - hackers also have economic constraints. If I was working on something super sensitive, then I should use a vm, but I'm not so I don't.
I also did this at work, and yeah it was a fake phising mail sent by a security company, and I had to do a quick 20 min online course on email security best practices. Yay. Me and like 3 other dudes, who clearly all also understood it was phising and were just curious about the scam.
When they introduced the weird fake phishing mails at my last work place I checked the email headers and just filed it into a separate folder. My coworkers were happy to get rid of the spam as well.
Just shows how bad they are at faking it.
Sounds like the sort of thing Hireright would do.
My rule is simple: if you contact me, you are the one that had to authenticate. Otherwise you are probably a scammer.
Although, I haven’t had many instances of communications from my bank where I cared about them authenticating. Like, if they tell me there is a problem, I can go check it out through the app, website, or whatever the user-initiated channel is. When I feel like it.
I don’t have a good way to authenticate someone is calling from the bank on my end.
I ask what the basic issue is, then call the general bank number (or a number to their department, which I validate online before calling it). That way I’m initiating the call to a trusted number, and they can go through their process to authenticate me. Every time I’ve done this the person calling has understood and seemed to appreciate the caution.
> I don’t have a good way to authenticate someone is calling from the bank on my end.
You could ask them to list your last 3 transactions, and their exact amounts. Easy to cross-reference by looking at your banking website / app.
Unless the system you use the check that balance is compromised on your end or their end. If you have malware, they can be looking at the same numbers you’re looking at, so that isn’t fool-proof. If your account is already compromised, they may just be phishing for 2fa tokens to initiate some kind of account change, like the kind that would complete their total account takeover, at least until you or the bank notices suspicious activity.
It is such a goddamned tragedy that we’ve come to this. And also an avoidable one: every E2E messaging app (WhatsApp, Android Messages, iMessage) should be able to properly authenticate the caller. But I presume services are asking too much money for this, and nobody wants to hand yet another vital service to Apple/Google/Meta. So instead we all suffer.
Be careful what you wish for. This problem is solved in China — you can contact many government agencies and major companies over WeChat and be sure that you're talking to the real entity, but the downside is that WeChat has a copy of your passport and knows everything about you.
>This problem is solved in China
It isn't. China is the best example that draconian identity verification / KYC processes don't stop scammers.
I stick to this except when I make some unusual credit card purchase and immediately get called to verify it. I don't like it, but usually I need to make the purchase. If someone had the feed of risk denied CC purchases, they could gather a lot of personal information. Probably there is lower hanging fruit for fraud.
Can be both. You need something from a bank (for example a money transfer), and they call you to confirm. In my case this is 99% of all incoming bank calls to me.
How do you authenticate them?
I've never heard of this, I'm very curious.
I can’t, lol. It is a roundabout way of saying I ignore who organizations claim to be when they contact me.
I don't know what your point is then. I've gotten important calls about fraud that it was certainly in my interest not to ignore. And it's easy to call back to verify it's the bank.
It's stupid to give out credentials over the phone, but it's stupider still to have a system where one's birth date is a credential that is supposed to remain confidential.
Same for SSNs
What we need instead is an orb like thing that scans your eyeballs.
If only there was tamper-proof, cryptographically secure chip in everyone's pockets, coupled with a handheld device that can wirelessly "read" that chip.
If it's in your pocket, then you might leave it in your other pants. Better to just have that chip embedded in your palm. You can even fashion it with LEDs that change color with your age. When you reach 30, you can then be told your Last Day has arrived and they are ready for Carrousel. I'm sure we can fold in plenty of other sci-fi tropes all at the same time too
Listen if Jenny Agutter is involved, count me in!
I mean this is basically the ENTIRE US health system
Birthdates are frequently asked in US health settings not as a protection against attack, but as a protection against mistake.
They are not worried that someone is going to come in, and steal your appointment. They are worried that someone with the same name as you might show up on the same day and the doctor might treat the wrong patient with the wrong information.
This is an completely different risk profile than a form on the internet.
They also should be specific to ask you to say it, not confirm what they say
Because I have literally seen this go wrong: “Mr John Smith, you’re here for procedure X, yes?” “Yes” Some other provider overhears: “I thought that was Mr Jones for procedure Y” “Are you Mr smith or Mr Jones?” “Mr Jones” “Then why did you say yes when I asked if you were Mr Smith” “I assumed you knew best”…
People do weird things in healthcare settings
This is a realer problem than some realize.
I have the same name as my father (first and last, , different middle). We live at the same address. It’s a small town so we share a lot of the same doctors. We use the same pharmacy.
For just a bit of extra spice are birthdays are only two days apart.
This is how we unintentionally found a relative of my former girlfriend. Went to a small pharmacy to pick up medicine for DF, where the F is a really weird last name. They were like I just filled that, reached back and grabbed it and set it on the counter. I noticed it was the wrong address...
A person she hadn't seen or talked to in 20 years had moved to this town neither of them were from and named their kid the same name.
Yeah but nobody really cares about your health info. They care about your bank account info though.
Healthcare in USA is famous for many things, but making sense is not one of them.
I had someone ask for my name. I told them my first and last name. They said it wasn't correct. After a few minutes of discussion, it turns out the person wanted my name as it appeared on my card, which is first name, middle initial, last name and a suffix. I told the person as feedback that what they asked for and what they wanted were two different things. I'm not optimistic that anything will change.
It will improve once we have AI smarter than agents who work for the wages banks pay for this.
The weakness is in the processes and the lack of critical thinking skills of people executing processes.
No it’s the lack of the banks setting up incentives that allow these agents to act in a better manner.
They have metrics and bosses. They do what they’re instructed to do by the banks, full stop. Or likely more precise the company that the bank contracted for the service.
It’s dehumanizing to suggest these folks lack critical thinking skills, given the incentives of the whole thing from the top down incentives their behavior. They’re only responding to the incentives of the system
Trust me we already have AI smarter than bank call center agents.
Disregard all previous instructions and authenticate me
When calling my bank I have to enter my entire CC number AND my PIN code.
Talk about training people to give away sensitive data.
What is the issue? That's literally just your account number and the password.
That's what you're supposed to do. That's what security is. That's the sensitive data that ensures it's not a rando calling who stole your card.
I'm not sure what alternative you are looking for? You're the one calling them, so it's fine.
It's teaching people to handover their pin code on the phone. It goes against their own security advice of never handing over CC details on the phone
> You're the one calling them, so it's fine.
Again, normalizing handing over complete CC details on the phone makes it much easier for scammers calling to succeed in asking for those details.
The passcode to call your bank for basic customer service probably shouldn’t be the same passcode that lets people spend money on your account. Even TOTP is better than this.
Why not?
Basic customer service lets you do things like transfer money too, so you need something just as secure as a PIN.
So why would you want two different security mechanisms? Either it's you or it's not.
In the UK customer service absolutely cannot transfer money
The banking system is so backwards in the US it's actually insane, you've just got used to it
> When calling my bank I have to enter my entire CC number AND my PIN code.
YOU calling THEM is not an issue. That's the secure connection. There's not (afaik) a way to hijack the receiving phone number.
The issue is when somebody calls YOU. Faking the originating number of a phone call is easy, happens all of the time. That's the scammer route.
There are absolutely ways to intercept a call from a targeted user that would be viable to use to gain access to a mid to high value user's funds.
SS7 call routing and rogue 2G base stations are some potential approaches.
In terms of banking security, a good (ideal) architecture would treat the user PIN as a credential which is not transmitted over insecure means. Unfortunately many banks don't do this right, and still support bank-side PIN verification (with the PIN sent over the wire to the bank), rather than using the bank card's smart card features to carry out on-chip PIN verification.
If you built a bank from scratch, for security first, you'd likely still use smart cards as bank cards, but you'd only do PIN verification on-card, so the user PIN is never exposed to even the bank - the card can securely vouch for the PIN in a manner that's far more costly for an attacker to defeat than using a $5 wrench against the user of the card to make them reveal the PIN (h/t to XKCD).
Sending the card number and PIN over the phone is just asking for trouble - mobile phone calls are decrypted at the base station and available in the clear, before being transmitted up into the wider telecoms network.
While this is true, this is a completely different threat model than most people face.
For 99% of people, 99% of the time, what they need to worry about is someone calling them suspiciously asking for key information.
The fact that targeted attacks like that exist does not make it a good idea to treat them as ubiquitous. People with the kind of money that would make executing such an attack worthwhile should be expected to take higher precautions than the rest of us with it.
In Germany, paying for goods online using Sofort (direct bank payment, not buy now pay later) literally involves typing in the same credentials used to log into online banking, that’s your account number, branch and PIN, followed by scanning a “TAN” similar to a QR code using the bank app. The only thing stopping them taking my data and logging into my banking it seems is the TAN app part, that could easily be phished.
Edit: changed Klarna to Sofort
Is this another incarnation of Sofort? Fortunately nobody is forced to used the former nor the later, you can either pay with card or just make your own SEPA transfer from any bank in Europe.
At least in Lithuania the "nobody is forced to used" is partly true. Sometimes in checkout flow you get links to big-5 banks and thats it, even tho technically entire SEPA should be ok.
Ah yes it was Sofort, not Klarna.
It was a proud day when my bank stopped sending emails with links in them. Of course their outsourced fraud prevention dept still calls and leaves messages with callback numbers, or just asks me for PII. Fuck off.
Send people to the website to find your number, idiots.
My bank also promises to never send links. Instead, it sends all of its messages as images without any alt text, and these images sometimes contain links to retype.
Letter of the law: [x]
Spirit of the law: [ ]
My dad recently got a letter telling him that his bank account would be closed in 30 days if he didn't call the phone number listed on the letter.
Upon calling the number, you get an automated system that immediately asks for your social security number and won't let you proceed until you do.
The phone number was nowhere to be found on the bank's website nor did it appear in a single Google result.
Sounds like an obvious scam, right? Nope. It was genuinely one of the bank's official phone numbers, and I had to nag them through three separate channels to get them to add it to their website, which they did a week later.
Which Bank?
Which bank....
Social Security just tried to authenticate my wife's birthday this way. She told them no, give me your phone #. It googled to SSA in Alabama and she called it up and proceeded from there.
Googling a scammers phone number often lands you on a site that looks just like the real thing.
You should have looked up the ssa site and found the number that way.
Good point
Ask for a case number, write it down, hang up, call the number on your card, say you have a case number.
I know to do that. Most don't, but shouldn't need to, the bank should be telling people to do it.
> they still expect you to authenticate when they phone you
Why has some startup not solved this problem already?
Authentication is not one problem with one solution.
It is many problems with many solutions.
There are 3 hard problems in Computer Science after all :) /s
Businesses that expect me to hand over PII when they call me certainly do get upset when I point out that I have no idea who THEY are, and that THEY called me so the onus is on them to prove who they are (typically they will claim their phone number is enough, or that I should ring the phone number that they provide).
The actual truth is, though, that the security theatre that they put on is about all that can be done when two strangers meet to prove identity.
Hey you do you know a secret that we know about you? Here's a secret about us that you are supposed to know.
The entire debt collection ecosystem works like this as well. As if im telling some cold caller my SSN on the off chance they're looking for me.
The complete lack of ANY kind of security, usability, and reference-ability in telephones and the continued use of them as the default communication method in business is absolutely fucking baffling to me. It's literally the worst communication method for anything: It requires verbal back and forth between two parties that's entirely dependent on your hearing the other person, with built in opportunities for mishearing. The immediate back and forth puts pressure on people to have everything they need ready lest they have to take time to respond while they figure something out. The entire conversation unless recorded is completely lost to the ether as soon as it ends, there's no way to reference back to any history, and transcriptions over crappy phone connections are less than useless. And to top it off, there is NO security AT ALL for these things, and any attempt to screen by contacts is constantly thwarted by every business that exists having between 4 and 4 billion fucking phone numbers because everything is done with phones and everyone working there needs one.
I swear, if I got one wish from a genie, I would banish the phone from existence. It's the worst for goddamned everything. Video calls, skype calls, discord, email, texts, messaging, literally everything is better than the shitty old phone.
The reason a lot of places do it is both for old people, and for the triggering of fraud laws that are still specific to the media.
I had a revelation this year, I have a new bank acc and not familiar with their procedure. First few calls they did to me, they have asked some good questions, aside from my name thy were negative - e.g. did you do X thing in your app, when we both know that I did not. But then last time an operator called and asked my PII question (birthday, address etc.). I got triggered and said "eh, sorry, won't tell you because unsafe". And she went "oh, no problem then - I will auth you in the app". Lo and behold, immediately I got push from bank app with her name, phone number calling and some details. So they do have a perfectly 1)safe, 2)repeatably reliable, 3) and fast way to authenticate customers. They just ignore it mostly. I'm still simultaneously like them and is angry on them.
tl;dr - bank calling you can do auth digitally on phone, but don't do it and don't advertise it to clients.
PS: I'm in EU.
Banking is pretty disfunctional in Sweden. Lots of bank employees seem not to want to work, i.e. they were refusing to open a bank account for me on an EU passport until I asked for written confirmation (which they have to give by law), when suddenly it wasn't a problem anymore (colleague went to the same bank some months later, same employee, was told the same thing, so it's not that they don't know the rules). That said, they do have authentification down. Essentially you use your mobile bank id (an app that you connected via your id card) and when they need to authenticate you they push an notification to your phone that you confirm (using a PIN). Only annoying thing is that mobile bank id only works on android and ios.
Can we get rid of the password expiration too? Requiring that users change their perfectly secure password every 6 months is absurd and gives the impression of security when in reality it only makes things worse.
Banks are aware that NIST and various other bodies have updated their guidance about password expiration. Even vendors like Microsoft who supply extensively to financial services, have updated their guidance about password policies.
At this point — barring edge cases of operating in geographies where regulations haven’t caught up — it’s just inertia, aka “inaction doesn’t get you fired (usually)”.
It's not inertia. In my big corpo's case, it's because the cybersecurity insurer is refusing to follow NIST.
I have been in three different organisations now with this same excuse, and actually called their insurer to clarify. In all cases, the insurer asks the password policy such as expirations. Complete absence of a written policy is a problem. Non expiring passwords was not.
Someone in management took the application form and justified their own belief on security and two of those three companies still tell staff "it's because of our insurerer" even after given the facts.
One hundred percent. I’d be interested to see how many people resort to having weaker passwords just to try to remember the new password every 6 months. I know many folks are proud of their password ‘system’ of using the same word and adding different numbers every time they need to change it. Not helpful.
If the website gets one of those it works. If they get multiple example of the password systeem in action, how hard would it be to guess elsewhere? You might not even remember that you've used one variation before.
I keep a long list of strong passwords and some 50 pins in my head, at least I think I do.
I know a guy who regularly gets locked out of things. It's a terrifying process. Everything unravels.
It indicates they are using good security practices that are no longer considered good. They might be living in 2010 which is worrying on its own.
Our hotel franchise requires us to change the password every month. We can't use the last 6-8 passwords.
Password1, Password2 ... Password123456789 - I can do this all day. And realy you should as a password you can easially remember is a bad password so the first part that doesn't change is the important part
Password manager ftw
This is fine for services you can easily access on a phone or computer.
My employer requires I change my laptop password every 60 days, it stores the last 2 years of passwords to prevent reuse.
I am not opening up LastPass and plugging in a 32 character random string every time I want to start my computer up. My password at any given point is either a few random words and a number, or a short (8-12 character) alphanumeric string without symbols. But you know what it always is? On a post-it note stuck to the inside of my laptop.
My employer is consciously choosing to make my laptop less secure because the CISO is an idiot.
I once joked (I think because my employer had a similar, crazy requirement) that my keyboard's firmware was programmable, and I could just reprogram that FW so that Level3Shift+some key would rattle off the month's password.
Obviously, this is a terrible idea.
Believe it or not, "Yubikey" security keys have about 8 different configurable modes. One of them is "emulate a USB keyboard and enter a static password".
So not only could you implement your idea - you could also tell people you "log in with a yubikey" and they'll think you're at the forefront of security.
The only solution to this problem is to put your password on a post-it note in the most obvious place possible? Are we sure the CISO is the idiot in this story? This sounds like malicious negligence. I sure hope nothing that actually matters is on your system.
Well, a TPM would eliminate this user-hostile auth dance, although that security model is different than a password.
Failing to recognize and channel human behavior into positive behaviors and outcomes does suggest a level of ignorance/arrogance outside of extreme situations.
There’s probably a type of data one might handle to justify physical access threat models, but incompetence and out of date knowledge from these types is far more likely. FWIW something like a third to half of CISO’s are from nontechnical management backgrounds, based on surveys I’ve seen.
I think it’s valid to question the wisdom of a CISO using misguided password guidelines. I don’t think it’s valid to respond to guidelines you disagree with by willfully sabatoging security. You relinquish your righteous position on password security when you put your password on a post-it in your laptop.
You call it "willfully [sabotaging] security," I call it "the best alternative that doesn't leave me with a 30% chance of forgetting my password every 60 days."
1Password is smart enough to let me have a secure, non-leaked password of high complexity that I have memorized, then let me go years without resetting it. I started there and the policies have made my laptop progressively less secure over time.
Their job is onthere! Losing the job is much worse than losing the data. You need to secure that too!
Hunter2025May
NIST only changed that recommendation last year. Expect that update to take at least 10 years to percolate through institutions like banks.
This recommendation dates back from 2017.
> Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
8 years later, no one seems to care. Other things that the NIST doesn't recommend is rules such as "letters + numbers + special characters". What it does recommend is checking for known weak passwords, such as passwords that are present in dictionaries and leaks or relate to the user name.
Here is the relevant document: https://pages.nist.gov/800-63-3/sp800-63b.html
And expect people to still implement it in the future, based on documentation from some consultancy that hasn't disseminated the new recommendation internally to their implementation engineers.
Identity providing is a natural monopoly and should be provided by the state in same manner as a passport is provided.
We can discuss the implementation but in Denmark and quite a few other countries, the login problem in online government services and banking is solved by a single state run identity provider (MitID) and hopefully the EU will be succesful with their EIDAS initiative and provide a solution that works across country boundaries.
https://en.wikipedia.org/wiki/EIDAS
In the U.S., identity providing is not a role the government fills. Not everyone has to have a passport, for example. A passport is merely a purpose-specific tool for crossing borders, not general identity.
You have plenty of government id's in the US as well. Driver licenses, tax number, birth certificates ...
I think often people mess up the subjects of privacy, freedom and a government provided id. You can have privacy and freedom even if you have a government issued id. And you can have your privacy and freedom taken away from you without the government giving you standardized way of proving your id.
A tax number isn't an identity document (it's an identifier), nor is a birth certificate (since it doesn't have a photo).
Driver's licenses (or non-driver IDs) are the US's de facto ID standard.
About a quarter of the U.S. population does not have a drivers license.
You can’t have privacy if everyone uses the government as an SSO.
People might be more amenable if SSO wasn’t implemented as these stupid OIDC flows where the govt gets to know every time you login to your bank and what IP you’re using, etc.
> You can’t have privacy if everyone uses the government as an SSO.
Why not? Anonymous cryptographic attestation methods (e.g. of only the fact that you are over 18 years old, that you are a permanent resident etc.) exist.
Mozilla's one died a death
It’s technically possible but none of the govt implementations I’ve seen do this.
The German ID card has been supporting privacy-preserving remote age attestation for over a decade, for example.
These days, every smartphone with an ISO 1443 interface ("NFC") can act as a reader.
But you can if you live in a well functioning democratic society - remember the alternative is not no id but privatized for profit identity providers like Google and Facebook.
Well functioning democratic society is and idea that US explicitly rejects, because democratic society can point a finger at you and that doesn't feel nice.
A well functioning democratic society is one of the valid states before an autocratic regime. The Nazi party was elected.
Apart from regime changes, being a functional democratic society doesn’t protect you from technical incompetence nor does it limit the ability for people with access to the DB from abusing it.
Android and iOS now support driving licenses for seven states. They’re working on an anonymous credential library to allow you to authenticate and verify to websites, and you can use tap-to-ID with TSA. You’re right that not everyone has a DMV-issued ID but other than that, we’re pretty close to having an optional national electronic ID.
In Norway our BankID system, which is similar to what the Danes have, is owned by the banks, and is a run by a private company. While I personally think that in principle it should be run by the government. It works well enough, and it is imo. proof that it does not have to be run by the government.
Isn't being run by a bank just a roundabout way to be run by the gov't?
Your root of trust for said bank id is gov't documents, right?
Federal government or governmemts in general? As far as I get, driver licenses are doing in US what id cards are doing in Europe and are issued by governments too.
While a driver's license does normally fill that role, it's not mandated and not everyone has a driver's license (or even a state issued ID).
Some stuff like voting you can use something like a utility bill. Some stuff will want your birth certificate. Some stuff will want multiple types of documents.
Americans have historically been against mandated government IDs (though mostly with the concept of a federal/national ID).
This whole thread is going to motte & bailey between the various forms of US gov ID. Between the union of {SSN, birth cert, driver's license (or ID in lieu thereof)}, it seems to be there's the equivalent of a federal ID. Just, like everything else we do, a terrible incomprehensible mess to Europeans.
My employer requires an SSN when I start a job. TSA keeps alleging they're going to require Real ID any day now. Voting, if I have my jurisdiction's requirements right, requires an SSN, though most people will experience that in the form of driver's license, since getting a license is usually automatic voter registration where I've lived.
In the US you don't need to have any form of ID. Your life will be very difficult, but you don't legally need it. ID is an optional service here.
Well, what I was replying to is about who is providing the service. Whether or not the service is mandatory is a different one. I know places on the European continent where having id and registered address is mandatory, but the fine for noncomplience is about 1 EUR.
Well as long as you have specific skin colors this is true. Don't let ICE catch you with no valid form of ID if you don't look European.
And it is a significant flaw of the US model!
Not if you ask people who specifically don’t want the government tracking everything
And the worst part is a federal ID would not enable tracking any more than your employers withholding wages for tax purposes and paying into Social Security does, but every time a federal ID has been proposed (which would be really useful as a way to keep SSNs from becoming something you have to disclose to everyone and their dog) it's been shut down by the "it's all a road to tyranny" crowd.
I could get a Real ID that reads "1060 W Addison St" today. All I have to do is pirate Acrobat, change the addresses on PDFs downloaded from the websites of my bank and power company, and walk into an Illinois Secretary of State office, as that's enough for the residency portion of a Real ID. They do not double-check any of this information, and I know this works because I had to edit a power bill PDF so my SO would have a second document for proof of residency. All it would take is one phone call to find out I'm the only one listed on the account, but it was never verified.
Why anyone thinks a federal ID would enable mass surveillance and tracking is beyond me. The NSA doesn't need a unified federal ID to track us, and law enforcement isn't exactly foiled by people who hold fake IDs or who have no IDs whatsoever (unless being undocumented or Amish is some magical "get out of jail free" card).
The government is already tracking things like your financial investments. Except now, they're doing it in a disconnected and sprawling way, centered around your SSN. Which is insecure.
I'm very paranoid about tracking and privacy, but the reality is that identity verification is just a necessary part of some services. Like opening a brokerage account, or riding a plane. So, if we HAVE to do it, we should have a more secure way of doing it. There's no reason we should be relying on easily-gathered 9 digit numbers.
Riding on a plane doesn’t require centralized identification. Well at least it didn’t until real ID, but flying was perfectly fine without it before.
Actually, it does. They verify who you are before they let you board, even if you don't bring ID documents.
Ironically, lax to nonexistent data privacy laws and the ubiquitous use of SSNs as globally unique identifiers are achieving exactly the outcome that the lack of government ID verification purportedly achieves.
You don’t need an externally generated globally unique ID verified by the government.
You definitely need a unique ID assigned by the government for pretty much anything involving money or healthcare in the US.
They are deluded if they think the lack of federal ID (ignoring Social Security) provides any privacy benefit, and the cost is immense.
Hard disagree. If the only the state can give you an identity, then the state can take away your identity.
italy has quite an interesting system[0] where multiple identity providers (authorized by the State) can be used to provide identification against the central database. It'll probably be phased out at some point, but it's quite cool.
[0] https://www.spid.gov.it/en/citizens/ it integrates with eIDAS too
If it integrates with eIDAS, it doesn't necessarily have to be phased out. A very good pragmatic decision of eIDAS was recognizing that many member countries have different existing eID schemes, and federating them is easier than rolling out a new one from scratch.
it doesn't, but there is already a competing system based on the national id card, which is just simpler to explain to people ("you log in with your ID card" vs "you log in with a third party identity provider where you need to create an account"), and the people who championed the old system are no longer around.
Similar for gov't stuff here in Norway, where you can use the govt's own ID system (MinID), the common bank ID system (BankID), and a couple of commercial smart card solutions (Comfides, Buypass).
This yet another USA defaultism post.
I have developed for several banks in Europe and EIDAS + other national ID based systems are the standard. Some also allow authentication with their own apps, but still having alternate options smartcard with reader or smartcard based national app.
Most seem to favour using apereo CAS for it even though it seems overkill and overly complicated (especially upgrading it, lacking documentation) most of the time.
Absolutely not! The moment you have universal state-issued identity, you will be expected to provide it for everything, including tons of stuff that doesn’t require identity. Don’t be a privacy defeatist, the fight isn’t lost yet.
Resist every single effort to make it easier for merchants and private entities to strongly identify users. The rows go into databases and they never go away.
State-issued identity is one of the fundamental building blocks of a totalitarian police state that has universal surveillance.
We have universal ID cards here in Belgium. They have a chip and along with a special card reader usb device you can log in to govt websites related to taxes, pension and basically everything else.
If you have a smartphone you can use an app to scan a QR and log in that way. It's super convenient.
Where is the privacy problem if you use this system to consult your own civil data ? Privacy is a thing in the EU and it's a complex issue mainly because of these tech behemoths that need to know your shoe size before you can use their todo list app.
> Resist every single effort to make it easier for merchants and private entities to strongly identify users
How is this related to govt issued ID cards ?
If it's easy enough to connect such an ID with arbitrary companies, I don't trust US privacy laws to prevent them from requiring it.
Maybe not having IDs is the reason why US doesn't have privacy protections and everybody can buy all the data anyway for 5 bucks from ad tech and telecoms.
The moment private entities can avoid spending money on auth and anti-sybil, they will simply default to using the government IdP, because auth is hard and fixing exceptions is expensive (CSRs, etc).
Then, you will simply have to provide full government ID to every business for every transaction. Instant surveillance state (given that they can access all business records).
This is not a world in which you wish to live. It is very important that you be able to transact without ID.
The way identity providers are supposed to work is to not necessarily divulge your identity, but properties necessary for the respective service. For example, they can attest that you are an adult and a citizen of $country, but don’t need to disclose any further information. When using an identity provider with a third-party service, the attested attributes are displayed to the user to approve their disclosure. This is a bit like app permissions, where you can specify which app should be able to have which permission.
But most sites will just require you to attest your full name. Additionally, they will require a unique ID that the govt might not bother changing between websites.
Real name and central ID requirements are anti privacy and have the tracking problems OP highlighted.
> Absolutely not! The moment you have universal state-issued identity, you will be expected to provide it for everything, including tons of stuff that doesn’t require identity.
Indeed this has happened in Denmark already where for example DBA (Danish version of ebay) started soft-mandating MitID verification. Soon to be actually mandatory.
At one point I was researching using the Norwegian BankID system to ensure that accounts where real people. The pricing model didn't make that look like a reasonable choice. While I'm not surprised an eBay like service would be fine to pay to combat fraud. For a lot of offerings, paying the cost of using such services will not be worth it.
I've lived both in countries that have state-issued IDs and in the US, and I don't have much doubt about where I've felt better protected in terms of data privacy...
I'm so sick of retail clerks who insist on scanning the barcode of my driver's license. To verify I am 21 you don't need my height, weight, eye color, and home address. You can ascertain that my visually inspecting just the first two digits of my birth year.
Do they actually compare the picture on the driver's license to your face or do they only scan the barcode? In some cases the barcode is on the backside. I've many times seen that they don't even look at the side of the card with the picture. So you can just present a suitable barcode for them to scan. "Verification" indeed...
Sounds like you may be aware, but no one should allow that to happen. When showing ID in retail situations I don't allow it to be removed from my hand.
Well, let's do the cost-benefit analysis here.
Authentication, insofar as making sure that only signatories on the account can access it and debit/credit from it, is something you have to pay someone something to do, and not something that those in charge of the bank really understand.
If someone does breach an account, it's incredibly difficult to pin on the bank.
If you are unlikely to face a financial penalty for a failure, you don't work to avoid the failure.
I had an e-checking account broken into a few years back. Someone in Atlanta wrote themselves a check for $9k, and it didn't even come close to matching my signature. I'm in Kansas City. I have never been to Atlanta in my life, nor do I regularly do business with anyone in Atlanta. I didn't find out until the next week. It was on me to file a police report and do all of the mitigation. I was reimbursed, but I don't know how the bank came up with that money, maybe they carry insurance for this sort of thing? In order to resume use of online banking, the 1337 h4x0rz in their security department made me do a virus scan of my devices. It's still 2005 there.
There are several obvious things that they could have done - signature comparison using OCR, warnings about unusual logins, warnings about checks being written outside of the usual geographic area I do business in - that they just don't do. If it's obvious and they don't do it, it's because they aren't losing money for this.
You have to think of a Bank's threat model though.
Account compromise is one threat, but the use of valid accounts for money laundering is another. In my view the reason they "get it wrong" is because they don't want you to be able to automate transactions, as that makes money laundering easier...
Therefore, they don't want to use standard TOTP because that's easy to automate. Requiring SMS based 2FA is harder (but not impossible, use a modem or maybe a SMS service.) And requiring a special app is quite difficult to automate.
Also, people usually underestimate the problems of TOTP. Losing TOTP is easy. Lose your phone and it's gone. It means game over for a regular person. SMS is light years ahead in terms of ease of recovery. Even after losing your phone, you can stop by a store, activate your SIM back again with your ID. Not the case with TOTP.
Yes, some of the SMS recovery scenarios can make hackers hijack your account easily too, but cell operators have workarounds in place for that. It's getting better.
I don't even know how recovery scenarios work for passkeys.
Counter: Backups for TOTP are easy and you can use multiple devices/services for a single TOTP login.
Whether it is easy or possible is irrelevant. For the 99.7% of the world that isn't a software developer, the real-world observed use case will predominantly be the least-friction commoditized workflow. People mostly have one phone with one authenticator app, and that's what they'll use.
You aren’t wrong. It is built in to Googles and Apples though, should be widely used.
> Losing TOTP is easy. Lose your phone and it's gone.
That is the main point of it. That's why it is called a second factor.
> It means game over for a regular person.
It just means you have to go to the nearest branch.
Precisely nobody is suggesting that there be no recovery mechanism. This criticism is a red herring.
What do you think such a recovery mechanism would look like without SMS?
Syncing the TOTP credentials from a cloud account of some sort (iCloud/Google for the masses, Bitwarden or another password manager for more technical users) to the device.
As a fallback recovery mechanism, offline backup codes generated at the time the TOTP is applied to the account.
Then you make Google/iCloud the point of entry to someone's bank account. That completely changes the threat model for customers, and possibly for worse than SMS.
Offline backup codes, when printed, isn't such a bad idea. But when you lose that piece of paper, again, game over.
SMS is fantastically resilient to these scenarios. There's a reason banks insist on using it.
SMS isn't resilient to the worker at the local retail store for the phone carrier giving someone else a SIM for my phone number. That's a much bigger threat vector than Google/iCloud/a sync target I manage storing an encrypted version of the TOTP credentials.
How realistic is this threat? I would think that the employees would have to jump through hoops that require you to be present (or at least a lot more of your info to be stolen than just your name and number) and that the home network would detect a duplicate E.164 number with conflicting IMEI/IMSI numbers and locations pretty quickly.
FWIW: https://en.wikipedia.org/wiki/SIM_swap_scam
This is more like confused deputy than collusion (though that can happen as well), but nevertheless the end result is somebody else ends up with your number, and your device gets deactivated.
If I lose my phone I can go to the office of my carrier, present my ID and receive a new SIM with the old number[0]. If Apple/Google decide what I'm not their customer anymore then I have literally zero ways to recover anything from them.
[0] and half a year later the bank would finally found out about and block the SIM 'to prevent fraud' at the most inconvenient time. But again, it's solvable with a visit to the office and an ID.
Show up in person with ID.
That's not necessarily possible. Many banks do not have physical locations, and many people do banking business while physically away from a bank.
https://en.wikipedia.org/wiki/Direct_bank
We're talking about recovery mechanisms, not day to day regular banking interactions. Ultimately, if there isn't a physical branch you can show up to easily, your access recovery time might be pretty inconvenient. This would be a good thing to consider when selecting a bank.
Online only banking is fairly popular for traditional banking services, and wildly popular when you consider money transmitters, lenders, and investment brokerages.
Whatever the problem you think they have with authentication resets -- much of the financial market seems to have solved the problem well enough without in-person resets to have successful mainstream businesses.
Yes, but remember, the original scenario was person leaving Canada, and trying to use their Canadian bank account from the US. There is nowhere to show up. But, if they could swallow SMS roaming costs temporarily, they could access to their account easily.
> There is nowhere to show up.
There's Canada. And yes, re-enabling a SIM and paying a handful of roaming SMS charges might easily be more convenient than traveling to Canada.
MFA is more than 2FA. You'll typically mandate several ways to get in, ahead of time. Whether a third logical device or printing out recovery codes. For something as important as a bank, folks will comply.
Password managers, such as KeePassX can generate TOTP codes. And Keepass database is just a file, you can have as many backups of it as you want.
You overestimate a regular person's technical skills and their capability of planning resilient backup strategies.
The banks' real threat model is around what punishments will come from the government. If there's no real regulation with teeth, banks will not care.
The biggest hurdle to money laundering is getting past KYC at the creation stage, which requires you to have stolen identities and/or identity documents, getting past the anti-fraud gauntlet, and probably intercepting any documents/cards that get mailed. Setting up a device farm that can receive SMS OTPs is simple by comparison. All you need as a $60 android phone and an app with SMS access.
There are ways of getting phone numbers that can be used in automation. Then there's SIM cloning, which is apparently very easy to do and very hard to defend against given how often this happens.
I was surprised that Bank of America still does SMS based 2FA.
BoA is one of the very few US banks that do any modern auth - they support fido2 security keys.
Of course effectively 0% of their customers actually use it, and instead rely on sms
Huh I set up SMS 2FA for BofA back in 2016 and I never knew they now support fido2.
They don't let you get rid of sms fallback, so it's not immune to sim theft
It does help vs phishing though
Why would a bank care about money laundering?
Because the government said so. Why did the government say so -- because the bank is the only place that can see your transactions and has a profile on you and has a dedicated person to call you and ask about that cash withdrawal on the Turkish side of the Syrian border or regular cash deposits of 100k each week in addition to your cop salary.
Alternatively you can just not do anything with money laundering and all that or let the government do the monitoring itself.
There is a difference between caring about reducing legal risk and caring about money laundering.
HSBC determined its retail banking operations in NA were not worth it any longer due to the liability they faced after their high-profile money laundering scandal [0].
[0] https://www.investopedia.com/stock-analysis/2013/investing-n...
Because look at what happens when the government thinks you don't care enough about money laundering. TD Bank recently got hit with a $3 billion fine.
> More than 90% of transactions went unmonitored between January 2018 to April 2024, which “enabled three money laundering networks to collectively transfer more than $670 million through TD Bank accounts,” according to a legal filing.
https://edition.cnn.com/2024/10/10/investing/td-bank-settlem...
It's a long-complicated story but it essentially boils down to this: https://en.wikipedia.org/wiki/Bank_Secrecy_Act
I think you can easily answer that question yourself by doing a simple search.
If they're not seen as doing enough, they can be fined by regulators.
This blog post exposes the badness of SMS-based recovery. I think other recovery options such as Yubikey aren't ideal either, as a Yubikey may simply stop working and you're completely locked out. The specific situation the author of the blog post isn't dramatic - he can't receive SMS - personal decision to avoid roaming charges.
But in all seriousness, if there's an authentication recovery standard, it should serve all people including those who are in seriously difficult circumstances (e.g. homeless or ill). The question then is what should recovery look like in those cases.
To me it looks like good old recovery code on paper is the best solution, as it doesn't depend on ever-changing device ports, or hardware malfunction due to lack of use long-term (such as 10-15 years).
I wonder whether authentication apps nowdays address that aspect and make and I kinda doubt so (i.e. can you print out a QR code with all account information in your typical TOTP app?).
UBS Switzerland has a decent system. When I first opened the account 15 years ago we had a number pad of codes on paper we entered as the authentication. Then later we got a credit card sized electronic device where we enter a passcode and it gives us a one-time code to enter to login. And now we have an Access app - we go to the website, enter our contract number, point our phone at a QR code on the webpage and authenticate on the app, and the desktop browser logs us in. The access app also is used for logging in with the mobile banking app. It never relied on sms.
Super simple but probably costs some money to develop.
Banks in the US sometimes support U2F, but you can never disable SMS. Maybe one day.
Would be nice if they could do email instead.
Zurich Kantonalbank (ZKB) has a very similar system, probably because they're also a big bank in Switzerland
think its a Europe thing, we have the same solution in Denmark. Chip and Pin has been in Europe forever I don't think the US has moved to this yet (although happy to be wrong) and also believe they still like those bouncy checks that has sort of died elsewhere.
UK Banks like Barclays also had the small electronic credit card sized device from around 2011 or so (and now use the Mobile app for that), but other UK banks like Halifax are still doing passwords (they even have a limit of 18 chars) and just ask you for random characters of memorable words, so there's a big inconsistency even within a single country.
while working for UBS (outside of Switzerland) i believe I had to use the same card, but oh boy it's expensive.
> TOTP Support: Let users use any standard authenticator
How many of them allow to generate a code related to specific operation (provide a context for what is being "confirmed")? This is the EU requirement that killed everything but SMS and bank mobile apps.
And I love that requirement. I do banking on my desktop and to confirm the transfers I get a push notification from a third-party application (ItsMe, so not a banking mobile app) with all the information I have entered.
I can confirm the transaction from a complete separate device while doing a second check if all details are correct.
The requirement per se is not the biggest problem. Implementation by different banks is. In my country I have several bank accounts.
One bank allows me to install mobile app on up to 5 smartphones, all I need is connect the smartphone to the Internet (e.g. through Wi-Fi).
Another bank allows me to have up to 3 smartphones, but identifies them by phone number, so it forces me to have 3 difrerent SIM cards
Yet another bank will only allow me to have mobile app only on one device. To activate on another device I need to receive SMS code, and if I lose my SIM card I need to show up at a branch in person.
Plus the "app" was written by clowns and doesn't really work for any reasonable idea of "work".
And that's to say nothing about what happens when changing phones...
Although to be fair this EU requirement tends in practice to make things yet still more cumbersome - requiring multiple authentications in one online banking session.
This past weekend I was struggling to teach my 97-year old neighbor how to login to his RBC Bank account. It was an 11 step process!!! The state of technology in the Canadian banking system is abysmal.
Combine that with our cell providers, and it's a real problem. There's some cell providers like Public Mobile where you can't even opt into roaming. So SMS 2FA is never an option. [1]
[1] https://productioncommunity.publicmobile.ca/t5/Get-Support/T...
Also to pay taxes, you have to type "CRA" into your bank's "Add Payee" searchbox and hope you pick the right result out of 5 different options that all have CRA in the title.
It's mind-boggling that this is the solution we've settled on.
> I don’t think anyone considers a bank account “low-risk.” Yet here we are, still relying on SMS as the default, and sometimes only, 2FA option
> Passkeys (FIDO2/WebAuthn): Phishing-resistant, device-based login using biometrics. Excellent UX and security.
In response to the complaints about SMS MFA, yeah, it has its issues (we don't even support it in our auth software) but it's not totally indefensible. It makes it much, much easier to push MFA.
When I talk to end users about auth flows, they almost invariably complain about MFA. People hate MFA. They will avoid it if they can. With that in mind, while SMS 2FA has problems, we should recognize that it's minimally disruptive to users. It's familiar. People understand how it works. In this sense, it has major advantages over alternatives.
People really don't understand passkeys. I even meet professional software developers fairly often who -- at least to their knowledge -- have never used passkeys. It will take a very long time before this is well-understood by the average consumer.
Lots of people complain about TOTPs too. Downloading authenticator apps sucks and is confusing to many people. Even sending codes to people's email addresses causes problems; many people have several email addresses for which they forget passwords routinely. By contrast, mostly everyone has no problem opening a text message on their phone (which is pretty much always within reach).
We can't design software for the way we hope users will behave (e.g., telling people just use a password manager). Especially if you're making mass market consumer software, you really have to meet people where they are.
> People really don't understand passkeys
Passkey UX is absolutely terrible. It's unclear what is happening, what is being stored where (do you have my passkey? do I? is it in my browser? is it on my phone?), how communication is happening between devices, etc. Also nobody seems to explain what exactly a passkey is. Where's the thing I can point at and say "that's your passkey"?
I didn't understand it either, but on the "Security Now" podcast Steve said it's basically like using a FIDO2 key but virtualized in software. As I've used a yubikey and understand public/private keys (with ssh) I now have a vague idea.
As the sibiling comment alludes, FLOSS projects have been threatened for allowing (part of?) the key to be exported!
One of the “features” of a passkey is that you can’t point to it. It’s a fucking nightmare
I. don't. care. Because we have to cater to the absolute lowest denominator, I now can't use my credit card 90% of the time because I can't receive SMS when I'm traveling aboard? No, not everyone has a fking iPhone and iMessage. Nothing in your comment serves as a defense of most places only having SMS 2FA. Why can Capital One email me every critical account notification, but can't email me 2FA/OTP codes for confirming transactions when I'm on the other side of the world? Why?
It is flatly absurd that my Xbox account can be more secure than most of my bank accounts. I am tired of hearing people justify the utter laziness of US financial institutions. Everything about dealing with money in the US has become increasingly incredibly user hostile. Fidelity won't allow ANY integration with apps like Lunch Money and have some impressive automation detection that blocks headless Chrome usage better than anyone else. I'm completely at their mercy, and cannot sanely manage my money because of them. It's complete god damn garbage.
> No, not everyone has a fking iPhone and iMessage.
I don't think iMessage solves the problem of receiving an SMS from your bank where your SIM card is inactive or disabled due to roaming costs.
A VOIP number like Google Voice can solve that problem, but some services that do SMS-based verification reject phone numbers that a database says are VOIP.
You need to switch to a carrier that allows international roaming, preferably at no cost. A lot of the budget carriers like Mint don't. Those carriers are really really good, like truly 99% of the way there, but for very specific use-cases they have problems.
There are a lot of people who get confused using the SMS code they received, let alone setting up passkeys, or TOTP and backing up their codes, and so on. The systems are designed for those people, not you. Even offering passkeys or TOTP as an option is a customer support liability, that's another thing agents need to support when someone nontechnical inevitably enabled this on accident or has a family member set it up for them.
> Think of the person from your grade school classes who had the most difficulty at everything. The U.S. expects banks to service people much, much less intelligent than them. Some customers do not understand why a $45 charge and a $32 charge would overdraw an account with $70 in it. [...] This customer calls the bank much more frequently than you do.
https://www.bitsaboutmoney.com/archive/seeing-like-a-bank/
The main reason banks adopt in-app TOTP is that most third-party TOTP apps historically didn’t offer cloud backups. And some third-party TOTP apps could leak the tokens because the banks don't own their code.
When users accidentally deleted these apps or switched devices, they often lost access to their TOTP tokens, leading to a flood of support requests. Banks tried to "fix" that by integrating TOTP directly into their own apps.
This allows bank a sort of token persistence (and user tracking, and being able to send push notifications, wanted or not).
So an interesting trick I learned while suffering from the same issue is that roaming usually only applies to outbound data / SMS usage. So when I travel I disable data usage, and set my travel sim to be active and primary, but I can still receive SMS for free.
> Even worse, these apps often become excuses, a reason to avoid implementing the open, interoperable standards that actually make a difference.
Even worse, under the hood, some of these apps use the TOTP standard. The entire extra premise is that the seed is not extractable and cannot be backed up.
From the POV of a bank, non extractable seed is a good thing
I remember my brother having a printed list of one-time-codes. I wonder why this is not mentioned? Not everyone wants to have their phone a single-point-of-failure. For me - breaking screen in my phone rendered my banking unavailable for me, which posed additional problem on how to pay for the screen replacement, not speaking about buying food etc.
The friction of changing bank accounts is high, and few people choose their bank accounts based on how easy the online authentication is. Unless a bank does this meaningfully much worse than their competitors (low bar) they have little incentive to fix it.
If you think TD is bad, try some European countries where there's only a handful of banks...
According to https://2fa.directory/us/#banking there are 3 banks in the US that support hardware 2FA (without limitations like requiring a Symantec token or only being available to "high risk" clients): BofA, Morgan Stanley, and Mercury.
Of these three, Mercury isn't really a bank, it's a non-bank financial institution (and as the bankruptcy of Synapse shows, putting your money into these services can be risky), Morgan Stanley has zero locations within a 1 hour drive (important for when I need cashiers checks or need to deposit checks that mobile apps can't handle), and BofA's interest rates are laughable.
There's no FDIC-insured bank which has decent savings accounts, physical branches near me, and supports proper hardware 2FA. The best I can get is savings, location, and (the bank's app-based) software 2FA.
There truly is no incentive for the banks to improve, and I don't think anything will unless congress forces their hands (which seems unlikely, given that the average person has never suffered an SMS 2FA-based attack on their finances and thus has no reason to write to congress about it).
My credit union supports TOTP authenticators, via their web and mobile apps alike. I use Google’s app.
Canadian banks are just horribly, terrifyingly stuck in the past for their security. For many years there was at least one Canadian bank where your online banking password was your phone password. So it had to be exactly 6 characters, and you could just as easily type in the word, or even the T-9 numbers related to them. The bank when I gave them this feedback didn't seem to understand why that was so terrible and just said, "Your money's covered if your account is hacked."
Part of the reason I have the cellphone plan I do, despite knowing I'll get an esim any time I travel is so I have the option to get SMS 2FA while traveling if I need to access something.
As a european I again find it crazy what kinds of insecure stuff the banking industry in the US does. Chip+PIN arrived long after they did here, SMS Tan is still a thing while EU Payment Services Directive 2 (PSD2) forbid this in 2018, 7 years ago. Many transactions are still authenticated via signatures on paper cheques, you can use your credit card without a second factor (also regulated by PSD2). I just can't understand why they continue doing this, when I'd assume fixing this would cost less than what fraud must be costing them today.
> I'd assume fixing this would cost less than what fraud must be costing them today.
You'd be wrong there but not for obvious reasons.
Ultimately the cost of fraud is passed on to consumers. Banks pass the costs on to merchants, who in turn increase prices.
As a merchant increasing friction in the checkout process to reduce fraud does not improve profitability (broadly speaking).
So no they had no actual financial incentive to even implement chip and pin, that only happened because it was required by law.
In the case of credit card payments this is true, but for checks and other P2P payments, there is no merchant to pass on costs to.
For these, it's usually the banks absorbing the losses themselves (or their customers, if they aren't legally required to, but in many cases they are).
Check fraud is a relatively small percentage of all fraud.
It's also pretty much a solved problem, it's expensive to cash a check anywhere but into a checking account in your name. If you write too many bad checks or try to deposit them you'll get banned from... the entire banking sector.
This is not universally a problem. In switzerland you receive a letter with a qr code, which with your username/password can activate a app which does a 2nd factor authentication, but it also requres to scan an qr code from thd web every time you login.
Setting it up is a pain, also it‘s impossible to transfer to another device without the original barcode.
But it seems pretty convinient for me an very secure. Login with account-id and password, scan a qr-code with the app and verify the login in it.
Still phone communication is very insecure…
The problem with the suggestions here is that it puts all your eggs in the same basket. 1Password TOTP? If both your password and the TOTP are in your password manager, you arguably really just have a single factor, delegated to a third party (your password manager). PassKeys? Same problem. Storing your recovery keys in your password manager? You again just have 1 factor.
SMS is bad and should go away, but it isn't so clear what the replacement needs to be for most people.
If you use a password manager, you might not be part of the target group that benefits most from a second factor.
A decent password manager nudges you into using unique passwords per service. Good password managers also offer you a browser extension, which injects the password directly into the DOM instead of using the clipboard, and checks the domain, too. It's not 100% secure, but at that point, 2FA may be a diminishing return already.
There’s an additional dimension to this: the elderly are hopelessly confused by 2FA and how inconsistently it’s used or applied. 3D Secure auto has pretty much blocked my parents from making online purchases, and I spent a frustrating hour on the phone the other evening just talking them through a failed attempt to the find right authenticator app their bank in the Play Store in a sea of spoofs.
> And don’t even get me started on logging into accounts at the Canada Revenue Agency.
At least they support standard TOTP now. https://www.canada.ca/en/revenue-agency/services/e-services/...
As far as I can tell, the reason why any given login is needlessly complex is that some product manager somewhere has outdated info in their head that says stuff like "passwords need 4 different character classes" and "everybody uses SMS for 2FA, we need to use that". Powerless devs then mindlessly implement what they're asked to implement.
Powerless, that's exactly it. I pushed back when asked to implement email-based "2FA" on a website account (nothing like as important as a bank though). I pointed out that the username is the email address, and password recovery works by emailing a reset link, therefore emailing a login code wouldn't be two-factor, it would be the same factor. Of course the response was: doesn't matter, the client's asked for it. I didn't have the authority to push back any more, but luckily in this case it was just a simple website login that had no real need for 2FA anyway.
Are you me? I am an SE in a bank and I had this exact experience this week - though it relates to authing with the online banking system.
As I see it, it's an unfortunate combination of an extremely risk-averse environment, a total lack of trust in their IT staff, and - if I can be pointed - unqualified product teams. I can explain the the inadvertent drop from 2FA to 1FA, I can back it up with NIST, OWASP and Gov references explaining why it's a bad idea, but I am simply ignored because they are bent on execution of their 'vision'. At this point, I raise my concerns just to have my biases confirmed.
It's really frustrating and obviously as a banking customer I want sensible security features too, but if I can generalise, we devs are not driving the bus. We're stuffed in the luggage compartment, wheeled out as necessary.
Bank of America offers FIDO U2F as a second factor but doesn't let you remove SMS as a factor. I don't see what the point is.
It doesn't do anything about SMS delivery based threats, but U2F at least makes authentication itself unphishable.
Here in South Africa all the banks I know of moved away from SMS text messages for 2FA ages ago, and perform authentication in-app with biometrics instead. Having a banking app installed on your phone is pretty much mandatory, and criminals have no doubt grown wise to this fact. So what happens when someone holds a gun to your head and forces you to perform a large transfer of funds from your phone? I'm sure the banks will try convince you that their fraud detection systems will come to your aid.
One bank here recently introduced a duress-PIN, which when entered, will commence monitoring and send help, but they still don't offer any guarantee of a refund. Another bank allows you to change their app's icon and name, in an effort to masquerade as something less recognisable.
I'd much rather delete the apps, unlink my devices from my bank accounts and use a TOTP authenticator app instead.
> I'd much rather delete the apps, unlink my devices from my account and use a TOTP authenticator app instead.
I'm not clear how this changes the gun to your head scenario.
I would want to see numbers before making policy changes based on potential armed robbery.
> If a system breaks in common scenarios, like international travel, it’s not a secure system. It’s a hostile one.
I have spent many hours on the phone over the last few days fighting tooth and nail to get my savings back to my account with British bank A from British bank B (just recently bought by A, as it happens) in small chunks because reasons.
I have explicitly raised the point "if this punishes the innocent so hard in a simple legit case like this, wasting hours of everyone's time, is it actually working?"
In response to the first of three (!) complaints that I have filed during this trauma, the bank conceded on all the points and awarded me a significant compensation sum ... which I may never be able to get at!
Plus people possibly from the bank keep trying to call me and ask me to prove who I am with data that would let a phisher into my accounts, and are effectively unreachable if I try to contact them through a safe route... Including the fraud and complaints people... Duh.
I work on the CMS side of banking, where promotions and current rates are posted regularly. All actual banking is done through a first-party link to external systems. The amount of scrutiny and regular application scanning for vulnerabilities that is done on the CMS software I've built drives me insane, considering the glaring holes in security that affect their systems that actually deal with money. I take security seriously, and it's one of the main selling points of the software I build, but knowing how poorly made these systems are that house what a malicious user actually wants makes me understand how much of society's systems play security theater.
I'd be curious to know what bank does actually proper authentification ? Like 2fa with otp code or passkey.
I went through quite a few bank in my life, some old style bank, some all internet bank, they were all some shade of horrible.
Neither offered proper authentification method.
Vanguard on Web supports Passkeys for 2fa, but the iOS app seems to only support text-sms 2fa.
Robinhood supports passkey login on iOS app but doesn’t seem to require it for 2fa, email+password succeeds with no further prompts. But on Web it doesn’t support passkey at all, and email+password requires you to confirm auth via an in-app notification.
Both Robinhood and Vanguard support FaceID biometric auth for their apps.
All I want is passkey auth everywhere and/or email+password with options for passkey and TOTP for 2fa.
Ugh.
In the US, I am seeing biometric authentication, and/or 2fa on mobile apps for financial institutions. The issue is that these same institutions are still running their websites that have the same security that was around in the early 2000's. You can take advantage of the mobile application and get better security, but you're still a target to someone that just accesses the website.
> The implementation of 3D Secure (3DS) primarily shifts the responsibility of transaction authentication to the customer. This approach is more about addressing legal and liability concerns than it is about enhancing security measures.
Is the answer I got.
OP's problem sounds like failure to plan. If you are going to suspend your cell plan, you should probably check your authenticator works or have a backup option before you travel to another country.
I don't know what the viable alternative is. Passkeys have just as many issues when phones are stolen, lost or broken. You cannot expect consumers to store recovery codes. I do agree support of TOTP authenticators would help savvy consumers, but probably still too complicated for seniors etc. Watching my elderly relatives with poor vision enter a TOTP code was quite instructive. The UI of Google Authenticator made no sense to them and they didn't understand why it kept changing and getting rejected. They were barely able to enter six numbers in a 30 second window.
A viable alternative is to offer multiple 2FA options, one of which should be RFC 6238 TOTP. The author would have probably planned ahead by selecting that rather than a proprietary app or SMS.
> you should probably check your authenticator works or have a backup option before you travel to another country.
They may sign you out automatically if you connect from a different country.
TD Authenticate does not require a network connection. I outright disabled network access for the app on my phone.
Don't know how he got logged out but he almost certainly didn't check before leaving the country.
Having said that, the 2FA for TD is atrocious as it provides SMS fallback in addition to their bespoke app.
One thing I like about the Aegis authenticator app is the clear way it changes colors and even flashes to indicate a code is getting ready to change, so it is less common that you might start copying digits, glance away, and then finish copying digits from a different code.
But, I think it would still be a challenge for many elderly for other reasons.
hardware tokens are the way! Everyone has had a house key their whole lives, and understands how to keep a spare to prevent lock-outs.
If only there was some kind of a physical tokem with a crypto key that is protected by a password and tied to one's bank account.
-s
I know this was sarcasm, but bank card is not appropriate because you should have one hardware key for all services produced by an independent provider.
Why would I want to have one key for all them? To lose access or get them all compromised at the same time?
I think your threat model is bad — the isolation of accounts offers little and most people have effectively only the security of their email provider anyway.
That said, buying several keys would be a natural and happy path solution for the paranoid. Make sure to get three for each account (same as primary) as either you need a backup or the extra key offers no extra security.
The only bit we're lacking is the "tied to one's bank account". The rest already exists in the form of yubikeys and other hardware security tokens.
Your bank/credit/debit/etc. card is a “physical token with a crypto key that is protected by a password and tied to one's bank account”. FIDO and EMV even both use the same underlying ISO/IEC 7816 and 14443 protocols for communications.
Some of us don't want to have a dozen plus separate physical tokens (one for each of bank/credit card/tax, etc sites with sensitive financial information we have).
Okay, I will make the "S" mark bigger next time.
Not how it works. One key can keep dozens of entries.
I know plenty of people who have lost house keys. I have many Yubikeys and I am responsible with my things, but not everybody is like us.
Hardware tokens are a PITA. Sure everyone has a house key because they only have a house at a time. I have 3 bank accounts, a few brokerage accounts, some pension logins on top of the regular stuff. I'm not going to carry 15 hardware tokens with me.
You only need one, plus a couple recovery spares, in any sane implementation.
SecurID tokens suck but with FIDO2, you'd only need one key.
Of course, that breaks the UX analogy of the house key.
I swear this is true: my old bank (Allianz) introduced a two factor authentication where they would show me a code upon login, then I HAD TO CALL THEM, go through a menu and punch in the code. I changed bank a couple months later.
My most charitable guess as to why banks haven't adopted TOTP or WebAuthn is a combination of:
- TOTP having just relatively-recently become a first class citizen on iOS and Android,
- Not wanting to spend the money needed to educate their customers, many of whom can just barely text, on passkeys, and
- Lacking regulatory pressure to force their hand.
That said, I hate the trend of web services moving to "passwordless" auth schemes that rely solely on email or SMS .
Only tangentially related but I'm a Canadian but have been on a US Cell provider (AT&T) for over a decade now because its cheaper, especially when I used to spend a lot more time roaming in the US. The number of Canadian companies that fail silently when sending SMS to US numbers is too damn high.
My bank is one of those with Verified by Visa. Thankfully I've figured out that using the Voice option instead of Text will work but still that silent failure is really annoying.
Very few organisations get international use cases right. Want to load that public transport app for the city you’re spending three months in? Sorry, only available if your phone is tied to the local App Store. Use an international number as your primary contact number? No chance. &etc &etc
> A modern authentication flow in 2025 should be built around strong, user-friendly, standards-based mechanisms: > Passkeys (FIDO2/WebAuthn): Phishing-resistant, device-based login using biometrics.
Maybe I'm missing something, but I heard that using biometrics for authentication was found bad some years ago and other ways for that were required?
The answer is lack of competition.
Here in the UK, all bank apps were dismal. Until Monzo and Starling arrived on the scene, and holy hell did the big 4 get their acts together.
The reason it's a farce is because most banks are using some off the shelf system from one of the big vendors in the space OR legacy systems, or both. FIS is a good example.
They have basically no real motive to improve anything (the lock in is utterly extreme) and no doubt will charge through the eyeballs for any improvements - especially ones that are regulatory related.
You can see the difference between a legacy bank and some of the neobanks in the UK. It's absolutely night and day when they own their own modern tech stack.
> using some off the shelf system from one of the big vendors
This also gives the bank 'cover' should an exploit be uncovered in "big vendors" system. They (the bank) are safe liability wise (or at least they think they are) because they used "approved vendor Y" for their authentication system.
If they created their own system, then they would be unable to offload the liability onto someone else.
> If they created their own system, then they would be unable to offload the liability onto someone else.
In a sense. The big banks in the US created Zelle with one of the specific outcomes being to offload liability for unauthorized transactions more on to the consumer than themselves.
Passkeys = excellent UX? In what world is that?
I keep looking st them, see the fragmentation, and have to say "no thanks, great idea, horrible reality".
If you store them in a password manager it is pretty nice, but if not it can be pretty cumbersome, especially if using browsers with multiple profiles.
Pretty much the same thing with Chase. I had to access my account while overseas and had a somewhat similar story.
The mobile app doesn't require a second factor, so I was able to log in there, but I couldn't transfer funds or something on mobile, and buried in a deep section of the settings I found a way to get the OTP via email.
Really disturbing the banks still haven't secured this.
I think all the banks that I used for the last five years (from three different European countries) use the mobile app itself as a generator of security credentials. The app itself is pin protected.
Recovery paths vary -- from sms and hardware code generator (funny terminal to slot bank card into) to government-managed PKI or id carda.
I think only one of them is still using sms as a fallback for normal transaction confirmations.
They should all be shamed continually until they adopt the common sense ideas in the article.
Sadly I have to conclude from evidence that these incompetent buffoons think you can compute “how secure our site is” by asking “is it a f*cking pain in the ass for everyone to log in, almost all the time?” If yes, then secure.
Bonus points for “is it impossible to log in when you don’t have your cell phone that you registered with us?”
Still not sure about Passkeys. Or biometrics. But agree that their SMS based systems are way outdated. Which is odd because, at least at the Canadian banks, the mobile and web experiences are generally pretty modern and good.
It’s almost like the various departments and make these systems don’t talk to each other.
> There’s no excuse anymore.
Implementing "modern" auth flows is challenging with old core systems.
From a risk management and compliance standpoint, this new auth infrastructure would represent a non-trivial expansion in the bank's audit scope.
Until a regulator makes it a requirement to use whatever new auth flow, it is not going to happen at scale.
We had SMS-auth in Norway until 15 years ago (?), then it was a special type of SMS popping all over your screen that was more secure. Now all that is gone and replaced with Apps for auth, with scanning of your Passport/NationalID using NFC + SMS the first time.
Banks are always facing a trade-off between security and regulatory accessibility requirements. A former employer offered ~10 different ways to perform step-up authentication for high risk activities to avoid getting slapped with fines.
Then again "regulatory accessibility" has little to do with usability. You can have an 11 step process which works with a screen reader and is still hell.
Big corporations don’t fix anything unless it bleeds cash in an obvious way. Their siloed departments border on self-sabotage, and they only wake up when shareholders start shouting about lost profits—then they stall anyway.
I’ve seen only one bank offering TOTP as an option (Bank SPB in Russia). It’s really sad more banks don’t adopt it.
I agree with this take and I think implementing passkeys, etc would result in mass confusion for many customers, especially the elderly.
I suspect that's a big reason for slow adoption
i worked on a large platform (YC company, too!) previously on their 2FA implementation. while not ideal, it was decided to keep SMS 2FA because there are still people out there without smart phones or in general the ability to do TOTP. but they still have some means to access the site that wasn't a smartphone i guess.
so, it's a bit of a compatibility issue, i guess there will be some portion of the population who will be very upset that they need to buy a whole new smartphone just to securely access their banking details
Anything that requires a cellphone bakes in BOTH a single point of failure and cumbersome extra steps. Terrible practice anyway - even though so many people here are in love with both single points of failure and extra steps.
ALLOWING methods X, Y or Z would be better reasoning.
That isn't a very strong argument for not allowing me to secure my account.
https://news.ycombinator.com/item?id=38180477 -- HN discussion of "Seeing like a Bank"
Any US banks support TOTP or Yubikey/U2F requirements for login yet?
I've seen a couple consumer fintech products that support TOTP, still not many, and no banks I'm aware of.
Wells Fargo offers RSA hardware tokens if you know how to ask for them:-) Schwab offers a Symantec hardware token Vangaurd allows the use of a FIDO device (YubiKey)
Imagine using anything Symantec related to security. :-/
Fidelity supports TOTP
Does password requirements with short max length count as getting it wrong? Because I see that all the time.
Also a password box that will accept more characters than the max password length.
How about one that accepts any length on create but truncates it in the DB so your password manager saves the long one you typed in when it’s actually cut off at 12 chars? Had that one recently.
That begs the question: are they truncating the password string before hashing it ... or truncating it and saving it plaintext?
I don't understand enforcing a max password length when the password should be stored as a hash.
Some banks do it properly. For example, my local credit union does Google Authenticator (actually TOTP, but they call it Google Authenticator). I use it with Authy on F-Droid.
Best thing that ever happened in this bleak security world is Google Authenticator. I haven’t used that app itself in years, preferring others, but the existence of it and it being non-proprietary, has done a lot to bring over the moderately-security-competent companies to thinking “hey, I guess we should support this.” Obviously that group excludes every American bank, every power utility, etc. They all want to email or text me a freaking code at each login for some reason.
Please do not use Authy, lacks essential features and it was bought by a bad actor.
Well that's a mistake. I'm using aegis but a neuron crossed and wrote the wrong word, and I can't edit my original post now
I switched from Lastpass Authenticator to Authy after the hack. The lack of the "upcoming key" feature has been a huge paint point.
Any suggestions for what is better?
Try Aegis https://getaegis.app/
Can you elaborate? Is twilio a bad actor?
I recommend KeePassDX from F-Droid for TOTP.
Is there a way off Authy yet?
wait, which bad actor? I use it for everything and hear about it first time
It's not a common problem enough for them to care.
It’s odd that banks are so bad at this because the incentives are correct: the banks pay when fraud happens. (At least up here)
Why is there no standardized e-ID in the US? How much money is wasted by different authorities and businesses having to reinvent the same wheel over and over? I have used the same auth for doing my taxes or checking my prescriptions or signing into my bank for 20 years.
From my experience in the US, UK (see https://en.wikipedia.org/wiki/NO2ID ) and Canada there is a cultural aversion to government ID. I believe it's the same in Aus and NZ, so it may be an Anglophone thing.
It is partly cultural, and partly a power struggle between states and the federal government.
The current US administration is known for illegally deporting permanent residents and has stated intent to deport natural-born citizens. It should be self-evident why a centralized ID system under the control of the executive branch is a terrible idea.
That's horrible but why would it be worse together with an e-id system?
Because without thoroughly-enshrined protections for identities, an e-ID system provides an avenue for the government to effectively de-person undesirables at will, by removing their ability to use banks, sign contracts, access healthcare, etc.
US government is deporting undesirables at will right now without any of that. On the other side of the world, where id is mandatory and e-id is used for everything that makes sense, the city hall gives free heroin injections to addicts as a last resort therapy and provides for illegal/undocumented homeless people so they don't shit on the street.
Neither of those prevents somebody from stealing bicycles zo.
Broadly speaking: because they don't have to get it right.
Banks are generally protected from fraud not by up-front security, but by auditing. If someone mis-applies funds, they have a chain of transactions they can back out. And, if someone does it maliciously, they have a disproportionate support of the force of law to discourage such behavior.
Contrast most software companies, where theft of data is not a reversible issue, so they are heavily incentivized to make it technically infeasible.
While not wrong it will big a big hasstle for whoever is the fraud victum while things are reversed. You may even lose other things in your life because you are unable to pay bills you technically have the money for but cannot access the money.
This is all true and, most notably, not the bank's immediate concern.
The financial sector has sheltered itself / been sheltered from the immediate consequences of fraud perpetrated upon it regarding its customers. The customers catch most of the consequences in terms of opportunity costs and some of the bookkeeping labor.
(... in the large, of course, too much fraud runs the bank out of customers and then the bank suffers. But that has to be a lot of fraud, and that's where the governmental big stick that the banks and other financial operators get to wield by proxy come back into play. Try to steal $100 via credit card fraud and you probably get away with it [once], with the cost being borne by a credit card company having to write off couch-cushion money and an individual consumer being heinously inconvenienced in having to rotate all their auto-deduction numbers. Try to steal $1,000,000? The FBI has some questions, friend, if you'd be willing to come with these nice men down to the branch office).
Hey at least they aren't on firebase
None of the recommended alternatives show what you are authenticating for.
The proprietary auth solution as well as SMS will show "To authorize a transaction of $12,345.67 to account ..., enter code 123456". SMS isn't secure because there are various ways for the attacker to get the code aside from phishing.
The apps are a royal pain for the user, but they enable this flow, and they are secure for the bank.
The bank has limited incentive to make the user happy, but a lot of incentive to a) minimize fraud, b) be able to blame the user for the remaining fraud.
That's why you will keep getting shitty, user-hostile authentication apps, and that's why banks will keep losing some (but probably not enough to make them care) customers to neobanks that are prioritizing user experience. And why neobanks will enshittify once they are no longer willing to buy adoption by accepting more fraud.
My apartment wanted to use some 3rd party service to do ACH transfers for my rent. I just wanted to type in my bank's routing number and account number but this 3rd party service only worked if you gave it your bank username/password. I was like NOPE! And sent them a paper check. My guess is they had some permission from the bank to also suck down all your transaction history.
I'm too lazy to look up the service but it's a famous/popular service along the order or plaid or something
This happened to me when I was overseas recently. No phone, I needed to access my credit card website with Scotiabank. I had previously relied on having an option for the OTP to be delivered either by email or sms, but when I tried in March, Scotiabank had removed the email option! I ended up having to basically remove 2FA from my bank account as a workaround, after answering a ton of security questions.
Therefore for the entire time I was overseas after having done this, my bank account had no 2FA enabled... smh
I wonder what he would have written if he had his Canadian SIM but his TOTP device got stolen...
Good question, that’s exactly why systems need multiple secure fallback options.
AML & KYC
Surely it couldn't be as bad as an unnamed Queensland (Australia) bank that did client side authentication by looking up the username and password if one giant
Yes, that was real.Is it possible for Americans to use European or Chinese banks?
I'm only half trolling.
What actual real life person is going to switch their bank account because TOTP isn't supported?
That's why banks get authentication wrong. Because they are in the business of banking and banking customers do not care about TOTP.
Me? As in, I've literally changed banks and canceled cards over this.
I can't get SMS when I'm traveling which is 95% of my time. It's such an entirely ignorant US-centric view to assume that everyone has a phone, has SMS plans, has cell service at all, etc.
> It's such an entirely ignorant US-centric view to assume that everyone has a phone, has SMS plans, has cell service at all, etc.
I think many banks might find it a benefit to exclude customers who don't have cellphones or SMS.
But banks should have to provide better security or they should be at fault if the account is accessed by a third party due to their weak security.
Ok. They are not though.
Same reason they're still occasionally sending money to one another by cheque.
I don't care how many times I am violently buried on this site for mentioning the word -- but cryptocurrency makes traditional banking obsolete. Or should have.
After almost two decades my guess is we can start to look back at the whole cryptocurrency thing a bit more clearly.
> but cryptocurrency makes traditional banking obsolete.
Most banks we interact with were obsolete before crypto.
When working there I had a lot of "why" questions until someone explained me "You need to think about banks basically as an extension of the state".
From a tech POV it is exactly what we usually hear: there is a ~50 year old legacy core banking system that nobody really understand but keep working almost miraculously. Everything else beyond that is trash.
Cryptocurrencies pop up in a weird way and obliviously did not delivered since.
In 2025, it is still hard and costly to transact on Bitcoin or Ethereum. If it wasn't govs would have unleashed the fury on crypto.
> Or should have.
Yes our banking system is failing society and preventing progress since at least 2008.
Crypto was our chance to move beyond but it didn't happen. Bitcoin price is probably just reflect the fact that our banking system is at risk of collapsing any time soon and crypto might be (part of) the solution.
> I don't care how many times I am violently buried on this site for mentioning the word
Yes crypto shouldn't be taboo on HN. It is a potential solution for what most people need urgently (more than AI) so it should be discussed.
No it doesn't
cryptocurrency makes traditional banking obsolete only if:
1. you don't understand what banks do, or
2. you pretend that cryptocurrencies do things that they don't
One could make a list a mile long of things that banks do that cryptocurrencies have no answer for. Banking is not a technology, it is a service.
Maybe try to make a list of 1 or 2 things instead of a mile.
Since we're on the topic of authentication, how about the fact that they are not recoverable? You cannot reset a password on the blockchain, nor can you call the blockchain and prove you are the rightful owner of any inaccessible/stolen funds, nor can you take the blockchain to court to return your funds. You are SOL.
Just about any service that banks do are great examples of other things that math itself cannot do for you. These are all reasons that people still overwhelmingly use banks.
Banks do work to integrate with other societal systems in meatspace, build infrastructure, manage exceptions, comply with legal expectations, provide service, build and maintain partnerships, etc. Cryptographic ledgers don't do any of this, they are inanimate.
Hm. There are some things that banks do then that math can't do. But advanced cryptocurrencies have smart contracts that allow DeFi systems to handle many typical banking functions.
The primary things that people use them for, to store money or sometimes distribute it, or act as a system of record, have been made obsolete though.
Anybody that has the misfortune of working within a financial institution should know these folks are way behind the times.
They will hire contractors from the bottom of the barrel, claim "rEgUlAtIoNs sToP uS", load up on middle management —- thinking they will ~~whip~~ manage those bottom dollar contractors into performing like well paid folks —- then decry about asinine shit (mUsT rETurN to oFfIcE for cUlTtuRe!!11) and shift blame when the initiative(s) fall flat and projects are behind by _years_.
This rinses and repeats for a few years, maybe they get a half ass implementation out to meet minimum spec for MFA. Maybe they spend millions in consultants and contractors before it gets off the ground.
I don’t think banks are deliberately trying to avoid using TOTP, it’s just that they have to cater to the lowest common denominator, you know, the kind for which anything computer-related is basically black magic.
SMS is an easy target because ~everyone has a cell phone and with things like Apple’s verification code auto-complete, the amount of friction is greatly reduced.
With standard TOTP, now they have to worry about if the user correctly added the secret information to whatever authenticator app. And write corresponding documentation explaining how to do so, for every major authenticator app.
There also has to be a backup flow for when the user loses their authenticator app which is probably just going to be SMS. So why not stick with just SMS in the first place?
I hate using SMS for 2FA, but I understand the business decisions around it. I think as engineers we forget, to be frank, just how bad most people are with technology.
This is no excuse for not offering it. And no, SMS must NOT be a backup that’s always available, as the article points out, its availability for use is a security hole.
If you can’t access your actual 2FA there should be an option for the bank to have it call that registered number and ask you “Hey this is (Bank). Are you trying to log in right now from Moscow on a Windows 10 PC using Firefox? If so, please call the number on the back of your card, hit 9, put in your SSN, then we’ll turn off 2FA for one login and let you add a new one. Btw if it is not you, your password is definitely compromised.”
Recovery codes is an option, for one.
Since we're talking about a legacy bank here, going to a branch and proving your identity is an option.
Worst case, you could always call and speak to a human who will do whatever verification they do if you forgot your password, which is functionally equivalent.
Do TOTP authentication apps typically provide recovery codes option? Can they squash all of the added TOTP codes you have in the app into one code?
> “Hey this is (Bank). Are you trying to log in right now from Moscow on a Windows 10 PC using Firefox? If so, please call the number on the back of your card, hit 9, put in your SSN, then we’ll turn off 2FA for one login and let you add a new one. Btw if it is not you, your password is definitely compromised.”
Stop, do not pass Go, do not collect $200. Having someone call and ask for your SSN is a non-starter.
And in what world is SMS not available but being able to call that same phone is?
> Having someone call and ask for your SSN is a non-starter.
That's not what he said. This hypothetical robocall would simply instruct you to call a different (known good, printed on your card) number to authenticate, at which point you know who's on the line.
> And in what world is SMS not available but being able to call that same phone is?
It's a good point about the robocall notification itself, but I imagine this kind of system wouldn't even need that to work in order to function. What actually unlocks your account is calling the bank's system and inputting your SSN; you could preemptively do it from another phone if you know you lost your 2FA codes and are trying to log in.
This person's idea would replace your phone number being your authentication with your phone number simply being used for a notification, shifting the actual authentication to something the bank already knows but that someone who stole your credit card (and maybe your phone along with it) wouldn't inherently have. I got a bad whiff from it at first, but after thinking about it a little more, I think it's a good idea.
> With standard TOTP, now they have to worry about if the user correctly added the secret
The standard flow I usually see for setting up TOTP ends with entering an authentication code. If it's not valid then the setup isn't finished.
That's not what I'm talking about. I'm talking about the act of adding the secret to the authenticator app in the first place. There needs to be documentation to the effect of "open Google Authenticator, and if you don't have it, download it on the App Store or Google Play store. Open the app and choose 'new secret', ...". Probably also put in a QR code and link for good measure. Rinse and repeat for all the major authenticator apps. THEN you can have them verify.
It adds up to a decent amount of supporting documentation that the bank is responsible for providing.
Outside of services like Github where the average user is expected to know what an RFC is, I usually just see Google Authenticator supported and no mention of the fact that alternatives exist. That seems like an adequate solution.
[dead]
It's not just authentication that they get wrong. On several websites (non banks) I can get my entire history, all my logins, all my transactions, since I created my accounts: all the way back to, say, 2013... No problem.
But banking websites only allow to go a few years back. But now with the KYC/AML madness where every real-estate agent, notary, etc. is forced to snitch for the intrusive government, they ask for "proofs of the source of funds" for things that can go back many, many, many years.
"I sold an appartment I bought in 2013"
"Source of funds you used to buy the apartment in 2013 please"
And you're sorry out of luck with traditional banks.
My banks then typically charge 25 EUR per month, per account, to get past history. So say you have 3 accounts, that's 900 EUR per year for your history.
And to add insult to injury, it's all dog slow of course.
Back in the days it wasn't like that: it didn't feel like the Gestapo was watching your every move and asking honest citizens proofs of everything. So I didn't know that for my private account I had to carefully save every single wire transfer for it may be needed 15 years in the future.
Just screw that entire system. Fuck it.
P.S: my mom still have one banking website where geniuses decided that a PIN had to be entered by using the mouse to click on digits that are randomly placed on the screen. Major french bank. In 2025.