• oldfart@lemm.ee
    link
    fedilink
    English
    arrow-up
    11
    ·
    10 days ago

    My bank prides itself being the first in the country to support yubikeys for 2fa. I was so happy until i learned it’s just for logging in, transactions are still confirmed by SMS or their app. And security experts all say it’s better this way, using a regular 2fa solution would be insecure because you wouldn’t know what you’re confirming.

    There really is no hope.

      • oldfart@lemm.ee
        link
        fedilink
        English
        arrow-up
        4
        ·
        9 days ago

        I’m not defending that madness, but that device doesn’t show who is the recipient. The argument was that this is protection against phishing sites pretending to be a bank, proxying your connection but sending it to a different recipient.

        Makes one wonder how much the user has to fuck up to end in such a scenario, and of it’s really worth transmitting everyone’s financial data in almost plain text over the air for this