Forced use of Google/Apple phones "for security" (2fa)

Hello,

Having recently worked with several Spanish banks, I have noticed that many are abandoning SMS-based 2fa and forcing you to install a (proprietary) application on an Android or iPhone. Some banks won’t even allow you to operate remotely without the application. Others will let you, e.g., receive money but not send, and limit the account’s functionality in various ways, unless you install the application. These applications often do not work without Google Play Services on Android, and they are themselves riddled with spyware like the usual googletagmanager according to Exodus scans. In other words, you are forced to use a stock Android/iPhone, go through the official app store, and expose yourself not only to the third party surveillance on the app itself, but also the native surveillance on the device.

The story, which also appears to suffer from a whole bunch of copy-pasta on the Internet, is that SMS 2fa is not secure because of sim swapping, except that many phone providers nowadays allow you set up an OTP lock on the porting process such that if somebody were to impersonate you and trick the customer service, the system would send a one-time code to your phone/number, which you still own. Most people surely won’t bother doing this, but instead of passing legislation to force phone service providers to protect their customers or adopt actual 2fa standards such as TOTP or WebAuthn, both of which are actual standards and allow the free implementation by any interested party, and for which such implementations already exist, online services appear to have instead just called it a day on SMS 2fa, forced people into surveillance, and resorted to quote NIST’s deprecation of SMS everywhere on the Internet. I am sure there are security experts in this forum who can shed some light on the security front, but in any case, the security should not come at the expense of a loss of privacy, especially when alternatives already exist.

Has anybody noticed this trend in which you can no longer be a human being unless you subject yourself to this kind of surveillance? It’s getting pretty serious because it’s getting harder and harder to reject to use the service on moral grounds; a bank service is pretty much essential.

Is the FSFE working on this front by any chance?

I am not sure what to do. For now, I have just been complaining to the customer service, which, more often than not, completely fails to understand the problem, let alone solutions, like I’m an alien from outer space.

Thank you,
Marc

I have been working for a bank in Switzerland and I have seen the same phenomenon. Let me clarify that I’m actually a fan of TOTP, but not of surveillance. (I don’t like SMS because I have to type the code in somewhere after receiving it, which is super-clumsy.)

To make matters worse, for OTP-based and other 2FA with Microsoft infrastructure, you explicitly need Microsoft Authenticator. It doesn’t work with free alternatives, which seems to be a deliberate restriction by Microsoft. Note that most if not all banks likely base large parts of their IT on Microsoft software and infrastructure.

Alternative providers also use Google Play Services for Android. Does anyone know why? I assume that it’s simply more convenient to develop and enforce platform security on Android.

I contacted Futurae, a Swiss provider of 2FA infrastructure that support banks like ours to make them aware of the problem, because I wanted to stop using my Android phone at work and switch to the de-googled Volla phone instead. They expressed their sympathy, saying more and more customers are privacy aware, but they won’t offer a solution.

Interesting. Actually, I’m, by now, an opponent of 2FA.

This may shock some of you, since 2FA is all the rage these days.
IMO, 2FA takes control away from users to put it into hands of
providers.

It transforms identity management into a “product”. No wonder
the actors of surveillance capitalism are so keen on it.

Of course, not having 2FA puts some burden on users (they have
to manage their passwords/passphrases and their private tokens
(key files, etc.). But this burden is the price I’d be willing
to pay to keep my agency.

Cheers

Thank you for the feedback, looks like this is indeed widespread.

Alternative providers also use Google Play Services for Android. Does anyone know why? I assume that it’s simply more convenient to develop and enforce platform security on Android.

A wild guess is that they are using Firebase Auth.

Outside of OTP, bank applications, to my knowledge, sometimes install a background service that tracks your location and usage of the phone to fingerprint you and use that fingerprint as an implicit auth factor. E.g. if your phone is in Germany but an account login is initiated from the Seychelles, it’s probably fraud.

To make matters worse, for OTP-based and other 2FA with Microsoft infrastructure, you explicitly need Microsoft Authenticator.

Come to think of it, I have seen this too, but not Microsoft. I always wondered why the service’s TOPT wouldn’t work with my TOPT client. I guess these are non-standard implementations branded as TOPT.

But this burden is the price I’d be willing to pay to keep my agency.

The problem is that many of these same banks only allow you to have a 6-8 digit-only password, which also induces people to use their birth date. And of all your online accounts, this is pretty much the one you need the most security for, so the 2fa becomes almost obligatory.

I think 2fa is, in theory, a positive development. But implementations like these force even more surveillance on people.

Thank you for the feedback, looks like this is indeed widespread.

[why not 2FA]

But this burden is the price I’d be willing to pay to keep my agency.

The problem is that many of these same banks only allow you to have a 6-8 digit-only password, which also induces people to use their birth date. And of all your online accounts, this is pretty much the one you need the most security for, so the 2fa becomes almost obligatory.

I think 2fa is, in theory, a positive development. But implementations like these force even more surveillance on people.

Of course, it depends on what we consider to “be” 2FA. Strictly
speaking, a passphrase-armored private key file counts as 2FA:
I’d consider that as “benign” 2FA. You control your file, can
make backups, you control your passphrase, and, ideally, it’s
a standard format. That’s how my SSH works. That’s, BTW, how
my banking works, too. I did a “classical” key exchange with
my bank by snail mail. The software I use to interact with them
is free (aqbanking). (The situation in the mobile device
“market” is most probably dystopian. I don’t own a mobile device
and hope to keep it that way for as long as possible).

The 2FA promoted by big corps and those who believe their
narrative [1] wants to promote “identity management” as a new
service they can offer in exchange to something [2].

Sorry, Apple, Google, Facebook, Microsoft. My identity is
totally the last thing I want you to manage for me.

Yes, identity theft is a thing. Yes, people choose bad
passwords. Sometimes, though, one shouldn’t try to solve
a social problem technically, although that’s the temptation
we geeks fall for (so Google et al have an easy game
convincing us to buy some closed gadget from Yubico or worse).

Cheers

[1] Let’s not forget that Google et al are, basically, ad
companies (yes, I count Apple also in this category).
If they are good at something, that’s convincing people.

[2] To be fair, I guess the primary motivation was that
they wanted to get rid of the costs generated by people
losing their passwords and people getting control of
other people’s passwords. But then, they saw this
business opportunity and their eyes went $$.

Yes, banks are unfortunately bad at this now and I think the reason is that they misunderstood a new requirement (PSD2) that they probably already met before. I’ve heard countless times from banks that their app is much more secure than their previous solutions and it doesn’t help that I know they are incorrect. I can talk to my bank clerk and they will point to the IT department and say they know best and surely made a good decision and even if I could talk to someone from the IT department, they wouldn’t really be able to change any decisions. Our best option is to choose banks that enable you to use Free Software. But it’s by no means guaranteed that those banks will keep this option.

In regards to 2FA overall, I think it’s a good thing as long as its based on a standard that can be implemented with Free Software. That means today, we can use any website with 2FA that says they support Google Authenticator, even though that’s not what we use with Free Software. It’s just a compatible implementation and there’s no interaction with Google (it even works offline).

So Tomás, would you mind elaborating a bit more what you mean?

Hi Marc, I have no tracker (ie. mobile phone), and all Spanish banks that I know require one for online banking, so I use no online banking.

This is what I do: I just opened an account in my nearest bank office and I do all my banking operations through its ATM.

This is hard to do when living abroad, though

Funnily enough, this same topic came up on HN just a few hours ago:

This is also an issue in the Netherlands. Banking apps require ever higher requirements. When I setup my Fairphone last week my banking app even requested a photograph and NFC scan of an ID-card. This seems a clever way for the bank to improve the personal details of users, which is relevant now that banks want to act as an identity provider in the Netherlands through the iDIN protocol and organization. I’d like to have an overview what banks offer other verification methods besides mobile apps.

A similar issue is occurring in the Netherlands regarding authentication for public services. I’ve already blogged about it: Dutch digital identity system crisis — nico.rikken’s blog In the name of security citizens will be forced into accepting the terms of Google or Apple in order to access digital public services. Politicians are making progress to guarantee an analog process as a fallback. It is good to have such a fallback, but it would be better to ensure access to digital services in an ethical way.

@3gg this such a large issue that you might feel powerless. But you can turn that around: this is so widespread that any action is helpful and it doesn’t matter as much what you do. I’ve written to politicians, informed organizations about alternative authentication methods, I’ve discussed the issue in online communities to raise awareness. raising this issue here is already a great help, so thanks to you for doing so!

I think ultimately this comes down to regulation and so the efforts would best be focused politicians and public debate. Getting other organizations involved will help amplify any effort. So keep raising the issue and explain the importance.

A more coordinated campaign like other FSFE campaigns would be nice of course. I don’t know when there will be a political opportunity to table this issue on a European level.

Yeah, that’s pretty terrible. Thank you for your insights.

I have emailed EDRI to see if they are campaigning on this, but I have not received any response yet. I will look into emailing politicians next and let you know how that goes. I am also thinking politics is the best way to go about this. Governments are still living in the 50s and Big Tech is exploiting this to install itself as a pseudo-sovereign entity that rules how we carry our digital lives.

I’ve also asked other organizations in the Netherlands about this topic but they already have their hands full with other topics that also need urgent attention. Hopefully EDRI can do something, or at least share the concern and spread the message. Please do share what comes of it.

My blogpost was discussed on Ycombinator Hacker News Dutch digital identity system crisis | Hacker News with similar remarks about the risks and downsides of the smartphone as second factor in practice.

I got an email with feedback on the blogpost and in it this person raised another interesting point. Google’s algorithm to defect security breaches is known to lock out people from their Google accounts, leaving them reliant on the bad customer support: Google Users Locked Out of Accounts Are Left Desperate Due to Terrible Customer Support / Digital Information World If more and more services are linked to it, from payment to healthcare and government services could be on serious trouble. At the very least you would have to bootstrap authentication. And you would enter the dilemma: go the long route to restore account access or just create a new account but have to setup all services again.

I saw that Nico’s article was linked to on OSNews, leading to mixed responses from the regular commenters there, though many were in agreement that there is a problem that needs discussion. (And hopefully some kind of resolution.)

My first thought about this problem is whether government agencies can effectively outsource authentication services in this way. Banks might be a different case, unless they are owned by the state. I accept that services are often outsourced to service providers by institutions. What seems to be different is that it’s not frictionless for the end user – they have to obtain the hardware to run apps to access services.

What I wonder about is how this kind of device/service requirement for basic services affects the interpretation of license agreements or terms of use. It’s like having to use a certain piece of software in the workplace. If you don’t have a choice other than to accept a usage agreement, it’s not really an agreement.

Another, more mischievous thought occurs. Those who promote the use of smartphones for everything tend to assume that things would be just fine if everyone just shut up and got a smartphone, but what about compatibility? Does the cheapest Android phone work with whatever app is required today? Shouldn’t there be some sort of recommendation for which phones people are expected to use? If there was such a recommendation, wouldn’t that be an endorsement of certain brands? It’s not like there’s a standard being followed that any vendor could meet. It just looks like protectionism.

I agree that banks are a problem here and I agree that using Google services blindly is a problem. However, I don’t want to throw all 2FA in with this. 2FA is a great and useful tool that is not a problem to privacy in and of itself. Even Google Authenticator isn’t because it implements a standard and there are alternative implementations.