It worked for every single card-issuing bank in Europe.
SMS are fortunately both expensive enough there to make them uneconomical for banks to use them as an OTP factor, and have been found too insecure for payment authentication by themselves, requiring a second factor.
This has practically lead to banks offering something more secure and/or ergonomic, e.g. bank-specific authenticator apps (which often work without internet, and always work without cell signal, e.g. when traveling internationally), hardware authenticators, WebAuthN etc.
> Let’s get cellular carriers to make SIM swapping harder.
No, let's get financial companies to step up their game and offer something not liable to both security breaches and locking out users (when traveling, losing access to their number etc.)
I wouldn't generalise an entire continent like that. Both my Bulgarian and Austrian bank accounts have SMS-based 2FA on online transactions and logins. Some banks in Bulgaria allow to use eSignatures as 2FA but afaik that has seen tiny adoption in the consumer space.
I don't know about Bulgaria, but in Austria, verification apps are very popular and I don't know many banks that still allow SMS-OTP for e.g. 3DS authentication or online banking transaction confirmation.
No bank is using (only) SMS as an authentication factor for 2FA. It's not allowed under the EBA's technical interpretation of the PSD2 regulation. Some banks do still allow it as a fallback option, together with another factor, e.g. a password or other knowledge factor.
My bank even made it a paid service, which I fully support – SMS is extremely overpriced.
I'm in the UK, so our implementation of the PSD2 regulation may be a bit different (in came in while the UK was leaving the EU), but I get SMS 2FA codes from American Express all the time in the 3D Secure process.
Some banks do still allow SMS by itself as the only authentication factor (presumably because they haven't got around to updating their solution or maybe think they've found a workaround), but it's not compliant with the PSD2 regulation in the EU at least. The solutions I've seen usually use a password or security question as the other factor.
As much as I hate the apps, I'm not prepared to refinance my house just to avoid installing them on my phone. Especially when the other banks probably have the same policies, or will soon.
Accessing TOTP or passwords in the iOS built-in password manager requires someone to (1) have your phone; (2) pass a biometric authentication or a passcode authentication.
My threat model doesn't include Apple or Google, the maker of the operating system. If you assume they could push an update to the built-in password manager, you need to assume they could push a keylogger that exfiltrates both your regular password and the password for your TOTP app.
Fair enough. They're who I'm mostly worried about.
I've got the Google apps in a sandbox, so I think if they pushed such a thing they could only spy on my logins with them.
Not that I have supreme faith in GrapheneOS to keep google in its box on a device that google made, but I do hope that it represents enough friction that I get excluded as an outlier from whatever abuses occur.
Eh. It still makes the credentials rotating credentials instead of permanent credentials. If your username + password + single TOTP value gets stolen, they won't be able to re-auth once that credential gets invalidated.
So say a site accidentally logs auth attempts, and someone finds the log. Sure, they know your username + password now, but they don't know a good current TOTP value. And TOTP values are supposed to be one-time-use, so even if they catch it quick it'll be invalid very fast.
Its better than not having TOTP, but not quite as secure as it could be. Theoretically its still something you know and something you have in that its something you "know", the static password, and something you "have", the rolling TOTP generator.
If the password manager was compromised (not accessed without permission, but updated without permission) then it wouldn't be just the single TOTP value that leaked, it would be the underlying key.
On a mobile device you might be a bit limited in how "distant" you can keep the two, since the vendor is typically almighty in that scenario. But in general, you have options and you might as well avoid keeping both eggs in the same basket.
That's one vector of my "not quite as secure as it could be" statement was thinking about. Or of someone just managed to steal your phone and break into it.
But, there are still other attacks that this setup protects against.
Two-factor isn't "two device", two factor is two factors of authentication, where factors are generally:
* something you know (password)
* something you have (key handshake, totp generator)
* something you are (biometrics)
Storing your TOTP secrets next to your hard passwords is putting eggs in the same basket, I agree. But I'd prefer someone do this than just forego adding TOTP or multi-factor entirely.
And in the end, even if you used two different apps on your phone you're still putting all your eggs in the same basket, which is a trade off tons of people are going to do. Even a lot of very security-conscious users will end up with some TOTP app and a separate password manager, chances are both apps will be installed on the same device. If that device gets thoroughly compromised there's potential for both apps to be attacked and compromised.
If your OS vendor shipping malicious code is a realistic threat to you, or at least attackers being able to impersonate your OS vendor, you're probably going to end up getting compromised even if you split it out into two apps. You'd probably just want to avoid TOTP entirely and move to physical hardware cryptographic tokens.
But it caught on because asking people to install an app is a massive ask. Not to mention, people never save those recovery codes.
Sure, you can use Authy and back up your codes but that’s pretty much squarely in the “for technical people” camp.
So at the end of the day, SMS is the only real solution for your average normal person. Let’s get cellular carriers to make SIM swapping harder.