The banking situation
What @Emphrath describes sounds like similar recent requirements i got for Government Cloud related security accesss where SMS is not acceptable anymore for 2FA: https://www.okta.com/resources/whitepaper/configuring-okta-for-fedramp-compliance/
Some colleagues mentioned banks will have to transition soon/one day
Edit: see table at the top of the following page, SMS is considered "moderate" security: https://www.okta.com/resources/whitepaper/configuring-okta-for-fedramp-compliance/
@cliffcoggin Well actually that's what I'm going for in the discussiobs with my bank now, but they seemed to imply something truly scornful like: "this is for old people" and also it seems it works only for checking ur bank account. I'll look into other banks. @Flo This kind of secure environment surely can be replicated in UT, no ?
Fla last edited by Fla
I am facing a similar situation. I created an account in a bank and then received a letter asking me to download the
HID Approveapplication on the Play Store or App Store.
I am then supposed to scan the QR code they send me to initiate the app, which will then give me a code each time I want to access my bank account.
Interestingly, they also gave me an ID, a code invitation and the "Service Address" which is
taurus.pbgate.services:443/HIDCAFin case of "Manual synchronization".
Here is the content of the QR code btw:
I searched a bit and found this gnome app which proposes a lot (probably around 500) of providers (@Emphrath maybe yours is in). Unfortunately, no trace of my bank or "HID".
Still, as I have the information to connect to the server, I feel like something can be done from our side to solve this problem.
@fla sadly, no qr code for me. Just the bloody app.
AppLee last edited by
Bank apps probably use TOTP or HOTP that should be no secret to give us (customers) an alternative way to generate this one-time-password so we can configure Authenticator-NG accordingly.
If I'm correct HOTP uses Android secure environment so this might be an issue for us.
But compliant solutions exist that we can use on UT, banks just don't like to be transparent about the technical solution they use.
@applee But the thing is they don't have to release any code at all ! I guess you can publish proprietary software on the openstore, can't you ?
@emphrath You could, yes. At least we would find a way, there is no technical limitation.
@cliffcoggin EU made it so that banks can choose which 2FA they offer. Some German banks still deliver physical devices as an alternative (which you have to pay), then my house bank still uses SMS.
But 95% of all banks in Austria moved to Android/iOS Apps, they are the cheapest form for them, no device, no SMS to pay for. The user pays for himself basically
So I must say, I cannot really change to another bank, and hope that mine will not stop SMS codes soon...
Josele13 last edited by Josele13
Is it possible that Morph can connect to a 2FA authentication key to validate with the bank?
Or would the banks not accept it?
Wouldn't it be possible for banks to do this the same way so many sites do? We have two authenticator apps on the store for UT, they work fine for Mozilla, Google, and other sites that do 2FA.
I'm able to use my bank's website through Morph to do my banking without issue.
@giiba Somebody told the banks that if its not executed in a trusted, secured environment its not safe. So, a web TOTP or whatever will not be accepted. And they have a point with that. The Secure Execution Environment in Qualcomm SoCs is much better than doing nothing. Also signed app, signed OS, signed everything xD
@flohack well, after some calls with my bank it seems i'm going with one of these physical gadgets ^^
Fla last edited by
@domubpkm I didn't find the list either, but I still have the app installed, tell me the one you are looking for and I'll confirm to you if it's there.