I logged in to my electronic banking this morning to be greeted with a message along the lines of:
“We’re replacing our authentication with a new identity app on this date.”
Yeehaw, more security. Yes, please. TAC SMS is long outdated and the European Union has new regulatory requirements that are forcing banks to upgrade. I’m expecting all banks to make a similar change soon if they have not already done so.
So far so good. First disappointment was that you can’t use an existing identity provider (e.g. we have a government backed digital identity in Austria called Bürgerkarte) but instead it’s a proprietary solution. Ok then, not that surprising, and the s-Identity product by Erste Bank seems well built (they also built the best e-banking product in Austria) It’s available for all the usual platforms: Win, Mac, Android, iPhone, but no Linux support.
In order to not have a single point of failure I installed both the app on my phone and the software on my desktop. If my phone gets stolen (or more likely breaks) I have the software on my desktop to activate a new phone and vice versa. This all sounds very good and reasonable. Let’s proceed…
Please select the account you’d like use to pay your login subscription.
Wait, what? I now have to pay extra to log in? That can’t be right. Let me go back to the fine print. So it’s free if I use the phone, it’s free if I use the desktop version, but it’s a subscription if I use both? Charging me to use a login mechanism?
Keep in mind:
- I’m already paying for the account itself,
- there are less costs (i.e. no more SMS) after the switch for the bank and,
- I’m certain the infrastructure costs for 2 authenticator apps instead of 1 must be negligible.
A twitter discussion ensued, but my hopes are not high that anyone in support will really understand the issue. So this blog is once again the outlet of my frustration. (Cheaper than a therapist.)
Why not just use the phone by itself?
The bank expects most people are going to use just a single app to authenticate. But what happens if you can’t access that device one day? You need to install the app somewhere new and get an activation code (the authenticator seed) for the new device. There’s two ways to get it:
- Get a new activation code from the bank teller personally
- Let the bank send the activation code to you via postal letter
Do you see the location dependency introduced here? And haven’t they introduced a rather glaring security hole too?
- Attacker knows the business address of a company using Erste Bank
- Requests a new activation code for the company account via the help desk (after all the bank is sending it to the registered address, what could possibly go wrong?)
- Attacker steals the activation code from the letter box, signs in and initiates a transfer of all funds (did I mention that sign-in and transfer confirmation are now both in the same app*)
The security issue is one the bank should take a look at, but my focus is more on the loss of device risk.
If you’re on holiday, a business trip, an expat or a digital nomad you’re royally screwed and lose access to your bank account. That’s a risk I’m not willing to take even for my personal bank account, but certainly not for any business related accounts. I think Erste Bank thought about that and saw the chance to offset some of the development costs that the EU forced them to make and put a price on a small percentage of users that are security conscious. Oh and it’s monthly - everything nowadays has to be a subscription, right?
What would be the right approach in my opinion?
We live in a digital age. Two identity options should be considered identical in my opinion:
- Passport / Identity document (hard copy proof)
- Government issued digital identities / signatures
If you can’t (or don’t want) to let customers/users use government provided identities for the login mechanism then at least let them be used for fallback / recovery options. Once the identity has been established, send an encrypted e-mail with the activation code that you can receive anywhere in the world.
One of Erste Bank’s biggest competitors of Bank Austria Group already uses e-Brief (a secure electronic delivery of documents) which I assume is available as a recovery option. That’s not the ideal solution either (authentication for e-Brief is via username/password) but at least it’s another layer of security and location independent.
I wonder if Bank Austria will become the bank of choice for digital nomads and location independent people from Austria or maybe one of the new banks (N26, Holvi, Revolut).
So what will I do?
Well register my complaint and then pay the premium. I am essentially location independent and cannot risk being unable to access funds in case of an emergency. The subscription doesn’t break the bank (yes, pun intended) thankfully.
Still, charging for a login mechanism is a very Scrooge McDuck move.
PS: Two Factor Redundancy in general
If two factor is available I usually use it. A lot of times this makes use of an authenticator app like Google Authenticator. In order to be able to log in even after a device has become unavailable I store the authentication seeds in a backed-up and encrypted store. This will allow me to restore each authentication factor on a new device. Because of the security involved it’s a large pain to get to these seeds (that’s kind of the point) but I have them available worldwide if I need them.
* A point to clarify: The new European regulation specifies that the login needs at least two independent mechanisms (two factors). The bank explains here that the app is linked to the device (factor 1) and the user has to enter a PIN (factor 2). But in the process they have removed the additional factor for transferring of funds (which in the past was TAC SMS). So now if you gain access to the banking account, you can transfer funds up to the limit (that you set when you instantiate the authenticator app).