• Ideas

  • TOTP

Bunq should support TOTP.

That is the same OTP Google Authenticator uses.

    @Joshua-Aquamarine-Unicorn#148068 For what exactly? Logging in from other devices? Doesn’t the QR work fine for that?

      @Joshua-Aquamarine-Unicorn#148068 I find the scanning a much more convenient way of doing 2fa.

        @LH-Black-Wolf#148073 For security reasons, of course.

          @Joshua-Aquamarine-Unicorn#148068 Do you mean for bunq Web (bunq.app)?
          I don't see added value for the bunq app, because both (bunq app and the TOTP app) are installed on the same device.

            @Joshua-Aquamarine-Unicorn#148068 I think for initial login TOTP or U2F might be a good addition to the regular password in a world where SIMs with mobile phone numbers are increasingly being swapped out without the victims being able to stop it quickly.

            U2F especially now that it seems to be supported on iPhone via NFC might be a good candidate cross-platform that non-technical users will be able to use as well.

              @Gerhard-Yellow-Frog#148080 Also, right now login is based on a QR code OR a link I get via email.

              That means: Anyone who gets access to the email can login and and make transactions.

              Emails are not encrypted.

              There's a reason I'm not using bunq as my main bank yet and it is (mainly) security concerns.

                @Joshua-Aquamarine-Unicorn#148088 That means: Anyone who gets access to the email can login and and make transactions.

                No, a hacker still needs your 6-digit pin. (You have to enter it after following the link from the email)

                And for bigger transactions they also need your handscan or 5-word passphrase.

                  @pbruins84#148090 Still not the best.

                  Why not an additional factor?

                    @Joshua-Aquamarine-Unicorn#148111 the handscan/passphrase is an additional factor already. 😉

                      @Sander#148127 But not an OTP. 🙄

                        A one time pad is made to be used ONCE. That's why it is a one time pad, even you get the credentials and the OTP, they will be invalid if already used once.

                          My hand can be scanned while I am sleeping/passed out/dead. Just saying.

                            @Joshua-Aquamarine-Unicorn#148136 So if someone gets access to the email and have the passphrase they cannot get in.

                              @Christian-Olive-Lion-1183283092#148138 Good point

                                @Christian-Olive-Lion-1183283092#148138 Also, if you hurt yourself and the hand is bleeding it might prevent you from logging in

                                  @Joshua-Aquamarine-Unicorn#148142 This is indeed a problem I had a bike accident and had both hands in bandages. Luckily, making payments was the least of my concerns. But I wonder how inconvenient that is if you need your hands in casts.

                                  Non-Biometric secrets are always to be preferred over biometric ones.

                                    @Joshua-Aquamarine-Unicorn#148078 Hardly useful when you keep the bank app and your TOTP-app on the same device anyway. Especially if it were to be incorporated in the same app. In fact, it may lower security. If someone gets a hold of your unlocked device they can do anything, whilst the current setup requires a physical 2nd factor such as your hand.

                                    I love TOTP as a two-factor mechanism, don’t get me wrong. I just don’t see added value in adding it to bunq as a 2FA method at this time.

                                      @LH-Black-Wolf#148145 Sure, the TOTP generator should not be on the same device.

                                        @Christian-Olive-Lion-1183283092#148144 If you are unable to scan your hand, you can still use the passphrase, so that shouldn't be a problem.