Path: ...!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail From: Dave Royal Newsgroups: comp.mobile.android Subject: Re: Codes sent by text message Date: Tue, 12 Mar 2024 16:46:58 +0000 (GMT) Organization: news.eternal-september.org Lines: 52 Message-ID: References: <1mtd3l3os6odg.dlg@v.nguard.lh> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Injection-Date: Tue, 12 Mar 2024 16:47:00 -0000 (UTC) Injection-Info: dont-email.me; posting-host="ec5f915a3258ab52dedd3e4e822d6e0f"; logging-data="427504"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+nQSJRWe6fmvUOQAe9484s" Cancel-Lock: sha1:gTCcitqRKm4hSSw9TYb4YvK8gI8= X-Newsreader: Mod.PiaoHong.Usenet.Client:2.02.M16 Bytes: 3660 Frank Slootweg Wrote in message: > Dave Royal wrote: >> Frank Slootweg Wrote in message: >> >> > Chris wrote: >> >> Frank Slootweg wrote: >> >> > VanguardLH wrote: >> > [...] >> >> > As Dave Royal also mentioned, your bank probably mentions/'supports' >> >> > one or more TOTP 'apps'/programs, but - assuming they have not >> >> > re-invented the wheel - their systems should be standards-compliant and >> >> > hence worke with any standards-compliant 'app'/program. >> >> >> >> Sadly in the UK that's not the case. They either use SMS, an automated call >> >> or their own TOTP available in their app. >> > >> > It's similar in The Netherlands, at least for my banks and other banks >> > I know of. But SMS and automated call are (AFAIK) not used. Just a >> > bank-specific hardware TOTP device (uses your bank card as one of the >> > factors) or TOTP in their apps. I use the TOTP devices, because it's not >> > much of a bother and more secure. >> >> Does this bank-specific TOTP device use your normal bank >> credit/debit card (i.e. the one you you make payments or withdraw >> cash with) or a specific TOTP card. I have one of the latter - >> though the bank doesn't use it for payments requiring >> 2FA. > > It uses my normal bank card. Mostly a debit card, because most 'local' > (in NL (and EU?)) on-line transactions can be done by a debit card, > which - in our country - is a safer card than a credit card. But also > some credit card transactions work with the bank's TOTP device (our > credit cards are issued by our banks). > >> Amex has recently taken to asking for 2 digits of my credit card >> PIN to authorise some transactions - after years of saying we >> should never reveal it. > > When I use my credit card in the bank's TOTP device, I need to give > the 4-digit PIN of that card, i.e. the PIN is one factor of 2FA, the > physical card is the other. > That's obviously OK on an offline gadget. It's providing (part of) the PIN to a website I find dubious - even if that website purports to be AMEX itself. I don't know why NatWest in the UK doesn't use it's own credit card in its own TOTP gadget for 2FA. Perhaps because it uses Mastercard, whereas AMEX cards are their own. -- Remove numerics from my email address.