I’m lucky my banking app works (GrapheneOS), as it’s now requiring 2FA with the app anytime I login on the browser. Can’t use an actually secure form like TOTP. At least they now allow passwords over 8 characters (yes, serious).

(Meme in comments)

  • bamboo
    link
    fedilink
    English
    arrow-up
    6
    ·
    10 months ago

    I have an account with a larger credit union and their Android app implements onerous rules which some exec must feel makes it more secure, but is just a burden 99.999% of the time. Today I found that the fingerprint login expires after a week of not logging in, requiring the username/password to log in. Annoying but ok, I log in with a username and password. Then it says I need to do MFA and presents 3 options, email, SMS, and app push notification. The UI for app push notification even says “This device”. I selected that one, and the app shows the approve/deny button over the MFA requirement screen.

    So obviously the saved state in the app wasn’t actually expired, since it could still approve MFA requests. So what good is it expiring biometric auth if the app is still authorized to log me in effectively bypassing MFA?

    • DanVctr@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      1
      ·
      10 months ago

      So obviously the saved state in the app wasn’t actually expired, since it could still approve MFA requests. So what good is it expiring biometric auth if the app is still authorized to log me in effectively bypassing MFA?

      I love this and hate this so much