• Ideas

  • TOTP

@Joshua-Aquamarine-Unicorn#148068 I think for initial login TOTP or U2F might be a good addition to the regular password in a world where SIMs with mobile phone numbers are increasingly being swapped out without the victims being able to stop it quickly.

U2F especially now that it seems to be supported on iPhone via NFC might be a good candidate cross-platform that non-technical users will be able to use as well.

    @Gerhard-Yellow-Frog#148080 Also, right now login is based on a QR code OR a link I get via email.

    That means: Anyone who gets access to the email can login and and make transactions.

    Emails are not encrypted.

    There's a reason I'm not using bunq as my main bank yet and it is (mainly) security concerns.

      @Joshua-Aquamarine-Unicorn#148088 That means: Anyone who gets access to the email can login and and make transactions.

      No, a hacker still needs your 6-digit pin. (You have to enter it after following the link from the email)

      And for bigger transactions they also need your handscan or 5-word passphrase.

        @pbruins84#148090 Still not the best.

        Why not an additional factor?

          @Joshua-Aquamarine-Unicorn#148111 the handscan/passphrase is an additional factor already. ๐Ÿ˜‰

            @Sander#148127 But not an OTP. ๐Ÿ™„

              A one time pad is made to be used ONCE. That's why it is a one time pad, even you get the credentials and the OTP, they will be invalid if already used once.

                My hand can be scanned while I am sleeping/passed out/dead. Just saying.

                  @Joshua-Aquamarine-Unicorn#148136 So if someone gets access to the email and have the passphrase they cannot get in.

                    @Christian-Olive-Lion-1183283092#148138 Good point

                      @Christian-Olive-Lion-1183283092#148138 Also, if you hurt yourself and the hand is bleeding it might prevent you from logging in

                        @Joshua-Aquamarine-Unicorn#148142 This is indeed a problem I had a bike accident and had both hands in bandages. Luckily, making payments was the least of my concerns. But I wonder how inconvenient that is if you need your hands in casts.

                        Non-Biometric secrets are always to be preferred over biometric ones.

                          @Joshua-Aquamarine-Unicorn#148078 Hardly useful when you keep the bank app and your TOTP-app on the same device anyway. Especially if it were to be incorporated in the same app. In fact, it may lower security. If someone gets a hold of your unlocked device they can do anything, whilst the current setup requires a physical 2nd factor such as your hand.

                          I love TOTP as a two-factor mechanism, donโ€™t get me wrong. I just donโ€™t see added value in adding it to bunq as a 2FA method at this time.

                            @LH-Black-Wolf#148145 Sure, the TOTP generator should not be on the same device.

                              @Christian-Olive-Lion-1183283092#148144 If you are unable to scan your hand, you can still use the passphrase, so that shouldn't be a problem.

                                @Christian-Olive-Lion-1183283092#148138 you probably have way bigger problems then... But still, when you're dead or something you'd still need your six digit code, which should be stored solely in your brain. That's the killing barrier for intruders in that case. It's about the principle to have something you know, something you own, etc. A bleeding hand won't necessarily stop the handscan to work. As long as it can find your fingerprints then you're good to go.

                                  a month later

                                  Totally agree, TOTP should be supported rather soon!
                                  Mobile providers are totally incompetent when it comes to filtering SMS messages; identifying where they come from, filtering/blocking illegitimate senders.
                                  Then there is SIM-swap, of which I'm not sure whether it is something that is an issue in NL/Europe, but it is in the US, basically making it possible for someone else to take over your number.

                                  Really, SMS should not be used in MFA! Understand that for the foreseeable future it cannot be phased out, but people should have a choice to switch to TOTP; Authy/Google/Microsoft/other authenticators.

                                  bunq, please implement this!

                                    @Jonathan-Indigo-Akita#152469 SMS is not one of the additional factors, it's only used to verify your phone number, such that you can use it as a "login name". Same as verifying your email address on a forum (or actually, the bunq app also verifies your email address that way). bunq uses passphrase / handscan as additional factors. ๐Ÿ™‚

                                      @pbruins84#148090 I think you misses the point...

                                        @Sander#152492
                                        Yes, the way I wrote it isn't accurate, when I mentioned it as SMS being part of MFA, thanks for correct! However, during sign-up/re-installation it seems I cannot install bunq without a working mobile number, which is actually super annoying, it is actually partially used as a login method and showing my 'nick' name when submitting the received SMS verification code.
                                        I rather prefer to be prompted with a dedicated account, or email verification + TOTP, but definitely not a phone number.
                                        It only makes sense to verify the mobile number with an SMS, when I add it to my profile as part of either a verification or communication method.

                                        So bunq, please get rid of the mobile phone number requirement, doesn't make sense in the 21st century.