The Convenience Trap: Why Seamless Banking Access Can Turn 2FA into 1FA

blog.opencore.ch

・

66 points

・

ocrb

・

2 days ago

63 comments

deredede ・ 2 days ago

The article starts with this description of 2FA:

> an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more distinct types of evidence (or factors) to an authentication mechanism.

and concludes with (emphasis mine):

> For the average user, the smartphone has become a single point of failure, where the theft of one device and one piece of knowledge (the passcode) can lead to total financial compromise.

Looks like 2FA to me, not 1FA.

hn_throwaway_99 ・ 2 days ago

Furthermore, these days I enter the passcode on my phone very rarely (Android requires it after restarting the device or after some amount of time) - normally I use biometric authentication.
The linked WSJ article is a bit hyperbolic and typical journalism overreach by calling it an Apple "security vulnerability", which is bullshit IMO. If you watch the interview with the guy in jail, the main method by which he got people's security code is he asked them. That is, he would tell people he had drugs to sell them and wanted to give them info, so he would get their phone and ask them for their code to unlock it.
At least the WSJ report is honest when it says "The biggest loophole: You".
tialaramex ・ 2 days ago

Also in-person theft is both something our civilisation understands and has adapted to, and it does not scale. So it's never going to be a problem the way say password re-use is or many other maladies from the use of "passwords" for online security.
oytis ・ a day ago

Compromising the smartphone can let you get the password though, making it one factor. It would be more 2FA if you entered password on one device and used another (Yubikey, physical totp token) as a second factor.
2716057 ・ 2 days ago

The issue I'm having with this sort of "something you own and something you know/are" two-factor authentication is that it has some potential to cause violence - both can be beaten out of you: https://www.citizen.co.za/network-news/lnn/article/banking-a...
- true_religion ・ 2 days ago
  
  This is true with 1FA too. 2FA is more effective at stopping the case where you're hacked and you don't even know it because your password was in a leak.
- Leszek ・ 2 days ago
  
  What can't though?
  
  2716057 ・ 2 days ago
  ・ 4 more
  
  A TAN generator or security key stored in a drawer at home. At least it reduces the opportunities for theft since people don't carry these devices with them all the time as opposed to their phones. Opportunity makes the thief.
  
  frollogaston ・ a day ago
  
  Idk how this would play out, they might force you to go get that
  
  em-bee ・ a day ago
  
  if i have to use it every time i want to make a payment, then i have to carry it with me,
  
  j-bos ・ 2 days ago
  
  Yeah I often think the issue with cash and crypto is that it can be easily forced away from an individual by any sufficienty armed and unscrupulous party. Money in a financial institution tends to have an upper limit on what could be forced away in a single act, or at least a single transction cycle.
  
  fakedang ・ a day ago
  
  Staying anonymous. For every single multimillionaire or billionaire out there flaunting their wealth, there is another who's equally secretive about it. There are many folks with tens of billions in assets who don't make their wealth part of their brand.
  Like that guy in Texas whose estate paid billions in tax when he passed away.
  
  undefined ・ a day ago
  
  [deleted]

alistairSH ・ 2 days ago

For instance on an iPhone, you can register a new face for FaceID if you know the passcode.

I stopped here... at least on iPhone, this doesn't work. When a new face is scanned into FaceId, all apps using that FaceId are supposed to (forced to?) re-authenticate.

Shank ・ 2 days ago

You’re basically correct that apps can use a special mode where they require Face ID to be re-enrolled if anything changes about the credential store. Technically speaking it’s opt-in, but most banking apps use this mode.

jpc0 ・ 2 days ago

Shoulder surfing a passcode isn’t failure of two factor back down to a single factor.

This would be the same as shoulder surfing your card pin and then stealing or cloning your card. There were two factors, the attacker just has access to both.

They needed an authenticated app and the pin at that point which is two factors. Because both are related to your iPhone means nothing, both your card’s pin and your card are related to your card and both can be compromised by the exact same attack with the exact same consequences.

AshamedCaptain ・ 2 days ago

On Android at least, even if you know a device's PIN and can add new fingerprints, doing so will cause all apps to reject all future fingerprint authentication attempts (and force you to go through a manual reenrolling process that will require another type of authentication, which depends on the bank).

It makes the conclusions of types 1 and 4 very different.

pxeger1 ・ 2 days ago

This is not a compelling argument that 2FA is reduced to 1FA. You need either: something you have (phone) and something you are (face), OR something you have (phone) and something you know (passcode). In either case, there are still two factors. For a criminal to perform shoulder surfing and theft, more things must go right for them than to do either individually.

wintermutestwin ・ 2 days ago

> something you have (phone) and something you are (face), OR something you have (phone) and something you know (passcode).
Thank you for breaking it down like this. The bottom line is that if you don’t have your phone, you can’t access your accounts. That is a massive risk factor - particularly while traveling. That tells me that passkeys and password managers are not a viable security solution.
- rkrisztian ・ 2 days ago
  
  Exactly, your phone can break or get stolen any time. Plus I just don't want to limit myself to a single device.
  
  okanat ・ 2 days ago
  
  Unfortunately in Germany almost all banks force you to use an unmodified phone (so no de-Googled) Android as the 2FA. There are other solutions like code generators but they require extra payment.
  
  zarzavat ・ 2 days ago
  ・ 5 more
  
  Buy an older iPhone for ~$150. Install financial apps on it and don't use it for anything else. Keep it in a safe place, only carry it around if you must.
  If you need to manage non-trivial amounts of money through your phone, having a specific device to do that is a no-brainer.
  
  frollogaston ・ 2 days ago
  ・ 4 more
  
  Is the risk that someone's going to steal my phone, forcibly hold it to my face, and wire my money somewhere? So far I've known two close friends who got mugged, the robber didn't think of this. Last time I tried intentionally wiring a large amount of money to someone, it took forever and involved tons of approval.
  
  zarzavat ・ a day ago
  ・ 3 more
  
  It's common in London, phones are being stolen for the access to financial accounts, not the value of the phone itself. They steal the phone out of your hands while it is unlocked. For example:
  https://www.bbc.com/news/articles/cy8y70pvz92o.amp
  I'm not sure exactly how they get around security features, perhaps by social engineering customer support, if they have enough PII.
  
  Yeul ・ a day ago
  ・ 2 more
  
  Uhm yeah in order to actually wire money in my banking app I need to input a fingerprint. Smart people developed these apps banks are not stupid.
  Obviously people can still kidnap you and torture you but that's no different from before smartphones.
  
  frollogaston ・ 20 hours ago
  
  Maybe if it's a random Android phone with Cash App
fsflover ・ 2 days ago

If your phone is compromised, a single password entry gives hackers full access. How is this not 1FA?
- toast0 ・ 2 days ago
  
  Phone is something they have, password is something they know, once you tell them.
  
  fsflover ・ 2 days ago
  ・ 4 more
  
  Imagine somebody owned your phone remotely. Aren't you immediately screwed? This is something I don't expect from 2FA.
  
  toast0 ・ 2 days ago
  ・ 3 more
  
  Depends on details... I might not be screwed until I need to auth for something, at which point the auth is captured and I'm screwed.
  
  fsflover ・ 2 days ago
  ・ 2 more
  
  And you do need to do it from time to time. So it's only 2FA against some threats, not necessarily most important ones for ordinary users.
  
  toast0 ・ 2 days ago
  
  If what you have (phone) and what you know (authentication) are both stolen, 2FA didn't keep your account secure. But it was still 2FA. They had to steal two things. Same as if it's a user entered OTP code, and you put your password into the phishing site, and then put your OTP code into the phishing site too; 2FA didn't help you, but it was still 2FA.

nerdjon ・ 2 days ago

> Thieves actively exploit this by “shoulder surfing” a victim’s iPhone passcode before stealing the device

If someone is using biometrics how often are they really using their pin that this would at all be a valuable tactic? I very rarely actually need to enter my pin on my phone so this largely seems like a moot point?

Like yeah it is still technically possible but if we really get down to it, if someone were to get learn the pin than passkey is equally worthless since they could also use my phone then to authenticate anything passkey. Fairly surprised that software based passkeys are just skipped here since I doubt most people are using hardware based passkeys, particularly on mobile devices.

I think there is a bigger (not just banking) discussion to be had about what can be done your phone's pin. But with the convenience of biometrics set an actually strong password for your phone instead of a 4 or 6 digit code.

FuriouslyAdrift ・ 2 days ago

I use a PIN to unock because of legal rulings as you cannot be compelled to give your PIN (5th Amendment applies because it's "testimonial") but you can be compelled to use biometrics (5th does not apply).
Individual apps I use biometrics except on reboot if they support that.
frollogaston ・ 2 days ago

FaceID only works like half the time on me. Really want the fingerprint unlock back. The thing is, to get into Chase, you need my long Chase password OR my Face ID. Can't just use my passcode.

frollogaston ・ 2 days ago

So the threat model is someone physically stealing your phone and guessing/seeing your password. The #1 proposed solution is a Yubikey. Can't they steal that too?

burnt-resistor ・ a day ago

YK's FIDO2 action can be passphrase protected. Mine has passphrases for FIDO2 and gpg. So stealing it won't help anyone.
- voxic11 ・ 21 hours ago
  
  But the whole premise is that the attacker is able to guess/see your password.

politelemon ・ 2 days ago

> Passkeys, particularly when bound to a physical security key

And _only_ when bound to a physical security key. Unfortunately by tying into the marketing of passkeys, there is going to be a pervasive assumption that ecosystem/on-device passkeys are just as secure.

Overall a good set of points, and I think it highlights the issues with a lot of the lauded 'convenience' factors in the Apple ecosystem.

Shank ・ 2 days ago

> Unfortunately by tying into the marketing of passkeys, there is going to be a pervasive assumption that ecosystem/on-device passkeys are just as secure.
Passkeys are an improvement over passwords. Security keys have a place for high security applications like enterprise deployments or the security paranoid. Passkeys stored on security keys can be trivially made worse by allowing users to set bad PINs (like 0000). If you use an iPhone and iCloud Keychain, iOS won’t permit you to store or use Passkeys with such an obvious passcode, but a Yubikey 5 will.
- burnt-resistor ・ a day ago
  
  The problem is that passkeys are opaque, non-portable, inaccessible, magic boxes lacking a backup or a portability mechanism.
  Passwords can be shared, stored, backed-up. Passkeys are locked away and hidden.
- frollogaston ・ 2 days ago
  
  I feel similarly, improvement is better than no improvement. So far the evolution of mainstream auth was just password -> email/sms, the 2FA stuff in between was niche. Most sites just want that to be someone else's job, passkey is a simple and robust way to do that, unlike oauth.
- sam_lowry_ ・ 2 days ago
  
  Passkeys are improvements over passwords in that login/password tuple is replaced by a single string.
  Everything else, including hardware tokens, is marketing vendor lock-in.
  
  Shank ・ 2 days ago
  ・ 2 more
  
  A passkey is not a single string? A passkey is a public private key pair where the private key is never sent to a server and signs things.
  
  frollogaston ・ 2 days ago
  
  Yep. There is still a lock-in issue though, cause passkeys as implemented are hard to transfer across walled gardens. But at least it's not like early TOTP impls which often had no playbook for when you get a new phone even in the same ecosystem.

dguest ・ 2 days ago

I've seen a lot of services (none banks so far) move over to requiring a One Time Password in addition to a password or private key as a way to get "2 factor authentication".

Problem is, people catch on that with some `expect` scripting and a few open source packages you can still just automate it to be 1 factor, just adding a bit more complexity to eventually leak the user's credentials.

deredede ・ 2 days ago

If people need "`expect` scripting and a few open source packages [to] automate it to be 1 factor", it is effectively 2 factor for 99.9% of the population.
Also, if someone uses a password manager to store both the password and the OTP credential, that is still an improvement to security. Intercepting (e.g. shoulder surfing) or guessing the password is no longer enough, an attacker needs to get into the password manager's vault.

rkrisztian ・ 2 days ago

What I missed from the article is the usual: biometric authentication is not secure.

https://www.youtube.com/watch?v=tJw2Kf1khlA

(Yes, I'm linking YouTube because unlike popular belief, some channels are actually informative, or some make it easy for us to understand the content.)

I would never use my fingerprint for authentication, because it's a flawed concept. The problem is, that your fingerprint is not a password. It's more like a username. That's because you leave your fingerprint everywhere, it's practically public information. The same can be told about your face.

didibus ・ 2 days ago

Biometrics are like identification yes. It checks that it's you. Now knowing that it's you, it retrieves a password stored on-device and uses the password for auth.
The auth is using a password still. The password is just indexed on your face or fingerprint ID and only locally, on-device.
That means the attacker would need the device to ever get at the password in the first place. Then they'd need to be able to break into the device. The latter you can argue is easy or hard, depending on perspective, but they'd need both your faceprint or fingerprint, and a reliable way to replicate it that can fool the reader.
If your fingerprint or faceprint leaks to the world. The attacker would still need your physical device, and would still need to find a way to fool the physical reader with a replica of your faceprint or fingerprint.
In that sense, it's more secure than a password.
- undefined ・ 20 hours ago
  
  [deleted]
hn_throwaway_99 ・ 2 days ago

That YouTube video is bad, if not outright wrong.
First of all, like the other commenter said, these days biometrics are rarely used as a key itself (which is how they are often portrayed in old movies). Instead, they are used as a method to gain access to the key. This is quite literally the case with some biometric Yubikeys - the key is the Yubikey, but to get it to work it needs your biometrics. Are you saying it would be better to have a key with no access control at all? Or one with a passcode (just watch the linked WSJ article from TFA - the guy was able to steal data from phones with passcodes, but biometrics would have made that attack vector much more difficult). Phones work pretty much the same way, perhaps the downside being that people often don't consider their phones as something that needs the same level of guarding as an actual key.
And just as importantly, what these kinds of YouTube videos often miss is the old adage "I don't need to outrun the bear - I just need to outrun you." That is, unless you are a particularly high-value target (and you would know if you are), any security that makes you much more difficult to hack than the person using Princess123 as their password means thieves give up and go to the easier target first.
llbbdd ・ 2 days ago

It's a bit of an aside but your disclaimer intrigued me - YouTube is extraordinarily useful and the popular belief is that it is, I'm not sure at all it's anywhere near a popular belief otherwise. It's like defending a television recommendation to watch How It's Made on the basis that there are also less informative shows broadcast on the same medium.
frollogaston ・ 2 days ago

So if I give you my fingerprint on a cup, can you get into my phone?

undefined ・ 2 days ago

[deleted]

awhitby ・ 2 days ago

This makes some good points. Slightly off its main topic, can iOS or an app treat Face ID and passcode auth differently, or are they completely unified?

For example, it would make a lot of sense to treat them differently for Apple Pay fraud detection, since passcode + device compromise seems a lot more likely in the real world than compelled Face ID.

Edit: there's a newish feature, Stolen Device Protection, that works along these lines - https://support.apple.com/en-us/120340

commandlinefan ・ 2 days ago

"There's something wrong with the security thingy. Press OK to see the dancing rabbits"

mindslight ・ 2 days ago

I realize this post is on a .ch domain, but in a US context "2FA" is a complete anti-feature. As a bank customer, the most important thing you can do to secure your account is to promptly check for unauthorized transactions. Anything that increases the friction to regularly logging in thus makes it harder to maintain your own security.

OutOfHere ・ 2 days ago

Passkeys seem overrated for three reasons:

(1) Their use of public-key cryptography is not quantum safe (against quantum computing). In contrast, passwords are very much quantum safe.

(2) They are tied to the provider. Why on Earth would I want to have the provider own my passkeys? Why would I want this vendor lock-in for my authentication?

(3) What if I want multiple accounts for a site? Some passkey vendors may support them, while others may not.

jpc0 ・ 2 days ago

1. Neither are passwords… Unless you use a quantum safe hashing algorithm which I believe I’ve only seen Apple adopt, maybe others but most of the internet isn’t using it.
2. By definition this isn’t true
3. Again not true, don’t confound whatever terrible implementation you have used with what is allowed or capable
- OutOfHere ・ a day ago
  
  1. A regular hash algorithm is already very safe against quantum computing if the hash is sufficiently long, which it easily is or can be for passwords. A special hashing algorithm isn't needed for quantum safety. At worst the hash length has to be doubled for ultimate quantum safety. The assertion of needing a special hashing algorithm is bogus.
  2. It is risked in practice.
  3. It too is risked in practice.
  
  jpc0 ・ a day ago
  ・ 3 more
  
  Seeing as we won’t agree on 2 and 3, let’s discuss 1.
  Your argument hinges on us getting access to a quantum computer that is stable enough for Shor’s algorithm to run invalidating RSA and ECC, current password hashes being updated using algorithms that are secure, or long enough, and a quantum safe algorithm not existing for PKi.
  Do you understand how this sequence of events is extremely unlikely, specifically since we already have quantum safe Public Key Algorithms and there is still ongoing research whereas it isn’t even known whether we will get a stable Quantum computer with enough qubits ever.
  
  OutOfHere ・ a day ago
  ・ 2 more
  
  You want people to bury their head in the sand, and unwillingly accept the unnecessary risk for little reward.
  
  jpc0 ・ 16 hours ago
  
  I’m not sure if you have been around normal people but the unnecessary risk is having them use a password in the first place. Normal people do not use password managers, despite both mobile operating systems and effectively every single browser bundling one.
  So now we have Apple Google and Microsoft getting a standard together that is actually secure in 2025 and your response is that sometime in the future a computer that our best engineers and scientists still haven’t been able to even prove may even be feasible might be able to reverse a public key.
  I also have a strong suspicion that the people that goes through the effort of even implementing Passkeys and those that care about security are a mostly overlapping set, so the likelihood of those public keys leaking in the first place is significantly lower the Bob’s hardware leaking my old mans one password he uses for everything.
  The security improvement for 99.99% of the population from using passkeys just far outweighs your hypothetical future that will likely never happen.
  I predict we will get AGI before a quantum computer that can reverse a public key, and we will have quantum safe public keys before that.