Bunq web iDEAL compatibility

Frank-Maroon-Eagle

Kwintijn The laptop isn’t authenticated like your phone is. The web login works with any browser on any computer. For compliant 2FA, two different factors from two different categories out of inheritance, knowledge, or possession are necessary. Unlocking a laptop with a passcode doesn’t make the laptop a valid factor in the category possession. The factors need to be independent and can’t be derived from each other.

Frank-Maroon-Eagle

Frank Having said this, if the user logged in via registered email and the magic link, it’s 2 factors.

Kwintijn-Maroon-Penguin

Frank For as far as I understand a computer first needs to be authenticated using the passcode from the app, AND through a verification email, which can't be entered using the app passcode

Frank-Maroon-Eagle

Kwintijn That’s right. It’s still extremely weak and vulnerable for phishing attacks. State of the art 2FA should use at least one factor that’s harder to obtain. Like software generated time based tokens or, even better, hardware generated tokens. I would consider a system based on email and rigid passcode not safe enough for a banking environment.

LH-Black-Wolf

Frank You’re pretty much always vulnerable to phising and social engineering. There’s no escaping that without killing UE. I’d prefer logging in with a password though and do confirmations either through scanning QR with phone or with txt message verification. (Yeah yeah that’s not considered overly secure, but it still beats email in most generic cases.)

pbruins84

Kwintijn In welke situatie zou dat meerwaarde bieden?

Frank-Maroon-Eagle

LvH Well, sure. The greatest risk is the user itself. 2FA can be relatively secure without „killing“ UX. And with a web interface available, phishing attempts will increase.

DaveFlash

i really like this idea as well, and instead having to grab a mobile device, let us set a new, secondary 6-digit pin for transaction approval in general (which can also be used in the app if biometrics fail due to a dirty sensor or camera or some such), that is separate from the login code. that way, you can use that pin to verify ideal payments online. or any other payments for that matter.

Delano

DaveFlash Like the pass phrase?

LH-Black-Wolf

DaveFlash I can dig that idea :) Would prefer custom code though with option to be alphanumeric. Make 6-digits minimum, but not maximum.

DaveFlash

Délano No, stand alone from the passphrase.

DaveFlash

LvH yes exactly