Hacker News new | past | comments | ask | show | jobs | submit login

Is there no 2FA? Why is there a password field at all on an online banking page?



Most transactions require an OTP to successfully complete, you also get notifications whenever a login to your account is performed.

I think it would probably be a good idea to have some sort of separate 2FA device linked at home but I doubt they'll ever implement it. You would want it separate to your phone because if your wallet and phone get stolen you can login to the online banking account and deactivate your stolen cards without having to go to the bank.


If the phone has a PIN or similar (I realize not everyone has) and the 2FA app has a pin/password, then that does seem like a reasonable level of security.


No, because getting your phone and wallet stolen (they are likely to both be on your person so both would likely be stolen at the same time) means you couldn't then log on to online banking and deactivate your credit cards (which you would want to do as soon as possible)

Edit: Just to clarify a bit more, most cards here have a tap and go function requiring no PIN up to a certain amount. Although the amount is small I'd still rather have it that no one spends my money.


That's a good point. I have done it a few times and it can be done quickly by phone at least.


Do you mean logging in with a one-time code instead of a password? It might be more secure than a password, but it's still only one "factor".


No I mean a physical thing like those little number generators that banks have had for what 20 years now, or the smartphone 2FA apps that we have used for at least 15 years.

I don't enter either a regular password nor one-time password for anything (not for transactions, not for login). I only use an identifying mechanism on a second device (a smartphone or a dedicated device). The secondary device has an 8digit pin though, so if it is stolen then it's not (immediately) compromising the security.


Yeah that is a one-time code. It's in the name: https://en.wikipedia.org/wiki/Time-based_One-time_Password_a... And again, if you use only this to log in, it's not two-factor authentication because it's only one factor. You'd have to combine it with something else (like a password or a fingerprint) to have two factors.


The rsa OTP-digit generator thing is an OTP, but what about signing with a device that doesn't generate a visible OTP? My authenticator app just asks me to produce my pin into the smartphone app and then the waiting transaction completes automatically in the computer web browser.

I suppose it could be an OTP too, but just not "manually entered"?

Is there a name for this type of authentication? It's just one factor but I do it on a separate device I mean.


Oh I see. Yeah Microsoft's authenticator app can do that, but they use it as a second factor. I don't know the details but I'd guess that it's not time-based but some kind of challenge.

Another option is Tumblr's "magic link", where they email you a link that logs you in. That's one of the few places I've seen something like that used as a single factor.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: