• Ideas

  • Suggestion: support webauthN/hardware keys

As a user and especially on a business account I want to be able to enforce more levels of security:

  1. Present a hardware token (like yubikey) either always or as a backup of the phone (when phone has no connection for example or not with you)
  2. Use that hardware key on the phone as well (using webauthN it could also be a password manager app or similar)
  3. be able to set policies on login/transactions. Like "when holidaymode is off and initiating from outside NL supply stronger physical factor like hardware token as well
  4. Restrict business account access or transactions above a configurable treshold amount to the key.
  5. When enrolling a new device always require a totp or mfa (not being insecure SMS or email only)

Ps. I did see the https://together.bunq.com/d/25630-totp post. This is a more generic and broader request.

Look at cloud and enterprise security as an it company bunq is as well and I think without 'policies and least privilege' support on access/access methods/factors bunq is missing a part of the security future.
Although using the phone to access web in itself is arguably more secure than those with only username/password accounts.

    @New-Olive-Goat-3322534765#270384 Well, no. 5 could be pretty easy one. I would like to see an option that new devices are NOT authorized before you approved them on an already trusted device (or entered a pre-shared backup key).
    It wouldn't be nothing more than a small pop up on your phone:
    "Hey bunqer, the device XYZ wants to connect to your account: ADMIT or DENY"

      @New-Lilac-Sloth-1702461962#270391 Indeed. Thanks for the feedback.

      That (#5) can iindeedbe done like you say. Hope bunq will pick up this sort of ideas.

      Limiting the nr of popups for that purpose in a timeframe is however something to consider. Preventing a malicious actor in flooding the systen and you(r phone) with popus. Increasing the change you press agree ( by mistake/to get rid of it)

      Once you have the mfa stuff developed and in a security token exchange under the hood (like iodc/jwt) the rest can be incrementally added quite easy as well.

        I think that‘s a great suggestion. Now with iOS 16 Apple introduced Passkeys and this will hopefully help WebAuthn get more popular and accessible for many people. 1Password as one of the most popular password managers also joined the FIDO alliance, so before long I think all password managers on many platforms will give users easy access to features like this. And advanced users can use the hardware tokens that they‘re already using today.

        Of course it‘s probably also a question from a regulatory perspective, not sure how this fits in there. The regular authentication and two-factor authentication system of bunq are quite complex for a reason: to make it as frictionless as possible for a normal user with regular „means“ while also providing great security. But I think there is a place there for even more advanced security measures.

          Write a Reply...