MichelRookie
As a user and especially on a business account I want to be able to enforce more levels of security:
- Present a hardware token (like yubikey) either always or as a backup of the phone (when phone has no connection for example or not with you)
- Use that hardware key on the phone as well (using webauthN it could also be a password manager app or similar)
- be able to set policies on login/transactions. Like "when holidaymode is off and initiating from outside NL supply stronger physical factor like hardware token as well
- Restrict business account access or transactions above a configurable treshold amount to the key.
- When enrolling a new device always require a totp or mfa (not being insecure SMS or email only)
Ps. I did see the https://together.bunq.com/d/25630-totp post. This is a more generic and broader request.
Look at cloud and enterprise security as an it company bunq is as well and I think without 'policies and least privilege' support on access/access methods/factors bunq is missing a part of the security future.
Although using the phone to access web in itself is arguably more secure than those with only username/password accounts.