bunq Together

TOTP

Joshua-Aquamarine-Unicorn

A one time pad is made to be used ONCE. That's why it is a one time pad, even you get the credentials and the OTP, they will be invalid if already used once.

Joshua-Aquamarine-Unicorn

joshua So if someone gets access to the email and have the passphrase they cannot get in.

Christian-Olive-Lion-1183283092

My hand can be scanned while I am sleeping/passed out/dead. Just saying.

Joshua-Aquamarine-Unicorn

Christian Good point

Joshua-Aquamarine-Unicorn

Christian Also, if you hurt yourself and the hand is bleeding it might prevent you from logging in

Sander

Christian you probably have way bigger problems then... But still, when you're dead or something you'd still need your six digit code, which should be stored solely in your brain. That's the killing barrier for intruders in that case. It's about the principle to have something you know, something you own, etc. A bleeding hand won't necessarily stop the handscan to work. As long as it can find your fingerprints then you're good to go.

Christian-Olive-Lion-1183283092

joshua This is indeed a problem I had a bike accident and had both hands in bandages. Luckily, making payments was the least of my concerns. But I wonder how inconvenient that is if you need your hands in casts.

Non-Biometric secrets are always to be preferred over biometric ones.

pbruins84

Christian If you are unable to scan your hand, you can still use the passphrase, so that shouldn't be a problem.

LH-Black-Wolf

joshua Hardly useful when you keep the bank app and your TOTP-app on the same device anyway. Especially if it were to be incorporated in the same app. In fact, it may lower security. If someone gets a hold of your unlocked device they can do anything, whilst the current setup requires a physical 2nd factor such as your hand.

I love TOTP as a two-factor mechanism, don’t get me wrong. I just don’t see added value in adding it to bunq as a 2FA method at this time.

Joshua-Aquamarine-Unicorn

LvH Sure, the TOTP generator should not be on the same device.

Jonathan-Indigo-Akita

Totally agree, TOTP should be supported rather soon!
Mobile providers are totally incompetent when it comes to filtering SMS messages; identifying where they come from, filtering/blocking illegitimate senders.
Then there is SIM-swap, of which I'm not sure whether it is something that is an issue in NL/Europe, but it is in the US, basically making it possible for someone else to take over your number.

Really, SMS should not be used in MFA! Understand that for the foreseeable future it cannot be phased out, but people should have a choice to switch to TOTP; Authy/Google/Microsoft/other authenticators.

bunq, please implement this!

Sander

Jonathan de R SMS is not one of the additional factors, it's only used to verify your phone number, such that you can use it as a "login name". Same as verifying your email address on a forum (or actually, the bunq app also verifies your email address that way). bunq uses passphrase / handscan as additional factors. 🙂

Jonathan-Indigo-Akita

Sander
Yes, the way I wrote it isn't accurate, when I mentioned it as SMS being part of MFA, thanks for correct! However, during sign-up/re-installation it seems I cannot install bunq without a working mobile number, which is actually super annoying, it is actually partially used as a login method and showing my 'nick' name when submitting the received SMS verification code.
I rather prefer to be prompted with a dedicated account, or email verification + TOTP, but definitely not a phone number.
It only makes sense to verify the mobile number with an SMS, when I add it to my profile as part of either a verification or communication method.

So bunq, please get rid of the mobile phone number requirement, doesn't make sense in the 21st century.

confiq

Peter B I think you misses the point...

Jonathan-Indigo-Akita

Freek
I find the hand recognition pretty lame and changed the preferred method to passphrase because it often didn't work. Apparently my hands are rapidly changing since I entered into 40's.

TimothyA

Jonathan de R I've never had a hand scan fail.

Jonathan-Indigo-Akita

Bastiaan
It's definitely a good extra. The authenticator app should be behind your fingerprint or FaceID as well. You would use it on top of your passphrase and without any phone number it gives you the flexibility to login to any device which the bunq app can be installed on.
That better ties in with the 'bank of the free'!

Jan-Aquamarine-Zebra-2830743186

Sander But the handscan isn’t there in all cases is it ?
In wich cases the handscan is existing ?

Is there any documentation how authentification works in bunq?

thijsoost

Patrick The handscan was removed from the bunq app some time ago, not sure why but it's no longer there.

Jan-Aquamarine-Zebra-2830743186

Okay Little „Update“.
Bunq is verifying new logins from unknown devices with an top up from a known bank account or you have to recover your account (which needs an video identification with onfido). I can remember that a verification via email is ADDITIONALLY needed if you recover your account. After account recovery your account is frozen for 24 hours for any changes or outgoing money transfers