• Ideas bunq web

  • Bunq web iDEAL compatibility

I'd like to be able to verify iDEAL payments using the bunq web application, without having to use my phone.

    +1. Web App is een mooi begin maar (bijna) alle features van mobiel ook daarin verwerken zou top zijn.

      @Kwintijn-Maroon-Penguin#106466 I think that would be quite unsafe, as bunq can then not use two factors to authenticate.

        @Petervdv#106493 The fact that your laptop is enabled to use the bunq web app and your code, are two factors

          @Kwintijn-Maroon-Penguin#106498 The laptop isn’t authenticated like your phone is. The web login works with any browser on any computer. For compliant 2FA, two different factors from two different categories out of inheritance, knowledge, or possession are necessary. Unlocking a laptop with a passcode doesn’t make the laptop a valid factor in the category possession. The factors need to be independent and can’t be derived from each other.

            @Frank-Maroon-Eagle#106502 Having said this, if the user logged in via registered email and the magic link, it’s 2 factors.

              @Frank-Maroon-Eagle#106502 For as far as I understand a computer first needs to be authenticated using the passcode from the app, AND through a verification email, which can't be entered using the app passcode

                @Kwintijn-Maroon-Penguin#106507 That’s right. It’s still extremely weak and vulnerable for phishing attacks. State of the art 2FA should use at least one factor that’s harder to obtain. Like software generated time based tokens or, even better, hardware generated tokens. I would consider a system based on email and rigid passcode not safe enough for a banking environment.

                  @Kwintijn-Maroon-Penguin#106466 In welke situatie zou dat meerwaarde bieden?

                    @Frank-Maroon-Eagle#106511 You’re pretty much always vulnerable to phising and social engineering. There’s no escaping that without killing UE. I’d prefer logging in with a password though and do confirmations either through scanning QR with phone or with txt message verification. (Yeah yeah that’s not considered overly secure, but it still beats email in most generic cases.)

                      @LH-Black-Wolf#106530 Well, sure. The greatest risk is the user itself. 2FA can be relatively secure without „killing“ UX. And with a web interface available, phishing attempts will increase.

                        i really like this idea as well, and instead having to grab a mobile device, let us set a new, secondary 6-digit pin for transaction approval in general (which can also be used in the app if biometrics fail due to a dirty sensor or camera or some such), that is separate from the login code. that way, you can use that pin to verify ideal payments online. or any other payments for that matter.

                          @DaveFlash#106999 Like the pass phrase?

                            @Delano#107000 No, stand alone from the passphrase.

                              @DaveFlash#106999 I can dig that idea :) Would prefer custom code though with option to be alphanumeric. Make 6-digits minimum, but not maximum.

                                Write a Reply...