Dropping Cellular for VoIP? Daily Phone use.

OhVenus_Baby@lemmy.ml · 2 months ago

Dropping Cellular for VoIP? Daily Phone use.

JustEnoughDucks@feddit.nl · 2 months ago

90% of American commercial services that is.

Online services or many/most European services have more proper 2FA (TOTP, app-based, card reader OTP, etc…)

delirious_owl · edit-2 2 months ago

Can you name me an EU bank that doesn’t demand a phone number to signup?

Unfortunately, PSD2 doesn’t support TOTP and other strong 2FA solutions, so they all appear to require phone numbers. This is one area where EU is worse than US

JustEnoughDucks@feddit.nl · edit-2 2 months ago

That is a completely separate issue from the above commenter.

You absolutely cannot get 2FA authenticator codes from 90% of services

A shockingly large amount of companies demand phone numbers and send verification texts before allowing you to do business with them, to create an account, to recover an account, to delete an account, to place an order, etc.

They really shouldn’t, it’s a bad security practice but companies love it because with a phone number they can lower support costs by just allowing people to do a self-service where they get an automated text and can unlock their locked account.

Also an issue, but indeed a separate issue from using unsecure SMS as TOTP.

delirious_owl · 2 months ago

I don’t follow. Banks are required to use insecure SMS for OTPs by PSD2

Nithanim@programming.dev · 2 months ago

My EU bank never ever used my phone number to verify anything. They only used it to contact me on some occasions. 2FA is done through their app.

delirious_owl · edit-2 2 months ago

Oh, right, their closed source app. Thats allowed. So it requires a phone.

So the OTP is still transmitted to satisfy the requirements of PSD2. But TOTP (a more secure system that doesn’t transmit the OTP at all) is not allowed.