bunq Together

TOTP

Joshua-Aquamarine-Unicorn

Bunq should support TOTP.

That is the same OTP Google Authenticator uses.

LH-Black-Wolf

joshua For what exactly? Logging in from other devices? Doesn’t the QR work fine for that?

Freek

joshua I find the scanning a much more convenient way of doing 2fa.

Bastiaan

joshua Do you mean for bunq Web (bunq.app)?
I don't see added value for the bunq app, because both (bunq app and the TOTP app) are installed on the same device.

Gerhard-Yellow-Frog

joshua I think for initial login TOTP or U2F might be a good addition to the regular password in a world where SIMs with mobile phone numbers are increasingly being swapped out without the victims being able to stop it quickly.

U2F especially now that it seems to be supported on iPhone via NFC might be a good candidate cross-platform that non-technical users will be able to use as well.

Joshua-Aquamarine-Unicorn

LvH For security reasons, of course.

Jonathan-Indigo-Akita

Freek
I find the hand recognition pretty lame and changed the preferred method to passphrase because it often didn't work. Apparently my hands are rapidly changing since I entered into 40's.

LH-Black-Wolf

joshua Hardly useful when you keep the bank app and your TOTP-app on the same device anyway. Especially if it were to be incorporated in the same app. In fact, it may lower security. If someone gets a hold of your unlocked device they can do anything, whilst the current setup requires a physical 2nd factor such as your hand.

I love TOTP as a two-factor mechanism, don’t get me wrong. I just don’t see added value in adding it to bunq as a 2FA method at this time.

Jonathan-Indigo-Akita

Bastiaan
It's definitely a good extra. The authenticator app should be behind your fingerprint or FaceID as well. You would use it on top of your passphrase and without any phone number it gives you the flexibility to login to any device which the bunq app can be installed on.
That better ties in with the 'bank of the free'!

Joshua-Aquamarine-Unicorn

Gerhard Also, right now login is based on a QR code OR a link I get via email.

That means: Anyone who gets access to the email can login and and make transactions.

Emails are not encrypted.

There's a reason I'm not using bunq as my main bank yet and it is (mainly) security concerns.

pbruins84

joshua That means: Anyone who gets access to the email can login and and make transactions.

No, a hacker still needs your 6-digit pin. (You have to enter it after following the link from the email)

And for bigger transactions they also need your handscan or 5-word passphrase.

Joshua-Aquamarine-Unicorn

Peter B Still not the best.

Why not an additional factor?

confiq

Peter B I think you misses the point...

Sander

joshua the handscan/passphrase is an additional factor already. 😉

Joshua-Aquamarine-Unicorn

Sander But not an OTP. 🙄

Jan-Aquamarine-Zebra-2830743186

Sander But the handscan isn’t there in all cases is it ?
In wich cases the handscan is existing ?

Is there any documentation how authentification works in bunq?

Joshua-Aquamarine-Unicorn

A one time pad is made to be used ONCE. That's why it is a one time pad, even you get the credentials and the OTP, they will be invalid if already used once.

Joshua-Aquamarine-Unicorn

joshua So if someone gets access to the email and have the passphrase they cannot get in.

Christian-Olive-Lion-1183283092

My hand can be scanned while I am sleeping/passed out/dead. Just saying.

Joshua-Aquamarine-Unicorn

Christian Good point

Joshua-Aquamarine-Unicorn

Christian Also, if you hurt yourself and the hand is bleeding it might prevent you from logging in

Sander

Christian you probably have way bigger problems then... But still, when you're dead or something you'd still need your six digit code, which should be stored solely in your brain. That's the killing barrier for intruders in that case. It's about the principle to have something you know, something you own, etc. A bleeding hand won't necessarily stop the handscan to work. As long as it can find your fingerprints then you're good to go.

Christian-Olive-Lion-1183283092

joshua This is indeed a problem I had a bike accident and had both hands in bandages. Luckily, making payments was the least of my concerns. But I wonder how inconvenient that is if you need your hands in casts.

Non-Biometric secrets are always to be preferred over biometric ones.

pbruins84

Christian If you are unable to scan your hand, you can still use the passphrase, so that shouldn't be a problem.

Joshua-Aquamarine-Unicorn

LvH Sure, the TOTP generator should not be on the same device.