Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It's the Payment Services Directive (PSD2). Username+PW is obsolete and insecure at least 20 years now.


> It's the Payment Services Directive (PSD2). Username+PW is obsolete and insecure at least 20 years now.

That does not imply that banks must implement 2FA with their proprietary applications.

Banks could just implement TOTP (Time-based One-time Passwords, RFC 6238) or HOTP (HMAC-based One-time Passwords, RFC 4226) and let me choose how I generate my OTP. For example with an hardware OTP generator or an open source application.

Most banks are using PSD2 as a occasion to force their privacy-invading apps on their users.


Absolutely not, I heavily dislike SmartID and similar proprietary spyware as well. A TOTP HW token would be in my opinion more secure. The reason banks use it though is the convenience, having some identity tied to the apps is just a bonus for them.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: