I’m lucky my banking app works (GrapheneOS), as it’s now requiring 2FA with the app anytime I login on the browser. Can’t use an actually secure form like TOTP. At least they now allow passwords over 8 characters (yes, serious).

(Meme in comments)

  • sgibson5150@slrpnk.net
    link
    fedilink
    English
    arrow-up
    11
    ·
    9 months ago

    My credit union’s web site looks like a MySpace page. They don’t even offer freaking 2FA. Been meaning to transition to cash management account but such a PITA.

    • bamboo
      link
      fedilink
      English
      arrow-up
      6
      ·
      9 months ago

      I have an account with a larger credit union and their Android app implements onerous rules which some exec must feel makes it more secure, but is just a burden 99.999% of the time. Today I found that the fingerprint login expires after a week of not logging in, requiring the username/password to log in. Annoying but ok, I log in with a username and password. Then it says I need to do MFA and presents 3 options, email, SMS, and app push notification. The UI for app push notification even says “This device”. I selected that one, and the app shows the approve/deny button over the MFA requirement screen.

      So obviously the saved state in the app wasn’t actually expired, since it could still approve MFA requests. So what good is it expiring biometric auth if the app is still authorized to log me in effectively bypassing MFA?

      • DanVctr@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        1
        ·
        9 months ago

        So obviously the saved state in the app wasn’t actually expired, since it could still approve MFA requests. So what good is it expiring biometric auth if the app is still authorized to log me in effectively bypassing MFA?

        I love this and hate this so much