• Ideas

  • TOTP

A one time pad is made to be used ONCE. That's why it is a one time pad, even you get the credentials and the OTP, they will be invalid if already used once.

    My hand can be scanned while I am sleeping/passed out/dead. Just saying.

      @Joshua-Aquamarine-Unicorn#148136 So if someone gets access to the email and have the passphrase they cannot get in.

        @Christian-Olive-Lion-1183283092#148138 Good point

          @Christian-Olive-Lion-1183283092#148138 Also, if you hurt yourself and the hand is bleeding it might prevent you from logging in

            @Joshua-Aquamarine-Unicorn#148142 This is indeed a problem I had a bike accident and had both hands in bandages. Luckily, making payments was the least of my concerns. But I wonder how inconvenient that is if you need your hands in casts.

            Non-Biometric secrets are always to be preferred over biometric ones.

              @Joshua-Aquamarine-Unicorn#148078 Hardly useful when you keep the bank app and your TOTP-app on the same device anyway. Especially if it were to be incorporated in the same app. In fact, it may lower security. If someone gets a hold of your unlocked device they can do anything, whilst the current setup requires a physical 2nd factor such as your hand.

              I love TOTP as a two-factor mechanism, don’t get me wrong. I just don’t see added value in adding it to bunq as a 2FA method at this time.

                @LH-Black-Wolf#148145 Sure, the TOTP generator should not be on the same device.

                  @Christian-Olive-Lion-1183283092#148144 If you are unable to scan your hand, you can still use the passphrase, so that shouldn't be a problem.

                    @Christian-Olive-Lion-1183283092#148138 you probably have way bigger problems then... But still, when you're dead or something you'd still need your six digit code, which should be stored solely in your brain. That's the killing barrier for intruders in that case. It's about the principle to have something you know, something you own, etc. A bleeding hand won't necessarily stop the handscan to work. As long as it can find your fingerprints then you're good to go.

                      a month later

                      Totally agree, TOTP should be supported rather soon!
                      Mobile providers are totally incompetent when it comes to filtering SMS messages; identifying where they come from, filtering/blocking illegitimate senders.
                      Then there is SIM-swap, of which I'm not sure whether it is something that is an issue in NL/Europe, but it is in the US, basically making it possible for someone else to take over your number.

                      Really, SMS should not be used in MFA! Understand that for the foreseeable future it cannot be phased out, but people should have a choice to switch to TOTP; Authy/Google/Microsoft/other authenticators.

                      bunq, please implement this!

                        @Jonathan-Indigo-Akita#152469 SMS is not one of the additional factors, it's only used to verify your phone number, such that you can use it as a "login name". Same as verifying your email address on a forum (or actually, the bunq app also verifies your email address that way). bunq uses passphrase / handscan as additional factors. 🙂

                          @pbruins84#148090 I think you misses the point...

                            @Sander#152492
                            Yes, the way I wrote it isn't accurate, when I mentioned it as SMS being part of MFA, thanks for correct! However, during sign-up/re-installation it seems I cannot install bunq without a working mobile number, which is actually super annoying, it is actually partially used as a login method and showing my 'nick' name when submitting the received SMS verification code.
                            I rather prefer to be prompted with a dedicated account, or email verification + TOTP, but definitely not a phone number.
                            It only makes sense to verify the mobile number with an SMS, when I add it to my profile as part of either a verification or communication method.

                            So bunq, please get rid of the mobile phone number requirement, doesn't make sense in the 21st century.

                              @Freek#148077
                              I find the hand recognition pretty lame and changed the preferred method to passphrase because it often didn't work. Apparently my hands are rapidly changing since I entered into 40's.

                                @Bastiaan#148079
                                It's definitely a good extra. The authenticator app should be behind your fingerprint or FaceID as well. You would use it on top of your passphrase and without any phone number it gives you the flexibility to login to any device which the bunq app can be installed on.
                                That better ties in with the 'bank of the free'!

                                  2 years later

                                  @Sander#148127 But the handscan isn’t there in all cases is it ?
                                  In wich cases the handscan is existing ?

                                  Is there any documentation how authentification works in bunq?

                                    @Jan-Aquamarine-Zebra-2830743186#267112 The handscan was removed from the bunq app some time ago, not sure why but it's no longer there.

                                      Okay Little „Update“.
                                      Bunq is verifying new logins from unknown devices with an top up from a known bank account or you have to recover your account (which needs an video identification with onfido). I can remember that a verification via email is ADDITIONALLY needed if you recover your account. After account recovery your account is frozen for 24 hours for any changes or outgoing money transfers