Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Unfortunately the EU regulation makes the truly user controlled 2FA methods essentially non-compliant.

https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...

> Article 7 Requirements of the elements categorised as possession

> 1. Payment service providers shall adopt measures to mitigate the risk that the elements of strong customer authentication categorised as possession are used by unauthorised parties.

> 2. The use by the payer of those elements shall be subject to measures designed to prevent replication of the elements.



This says something along the lines of "it should be hard to extract the TOTP secret".

However if you can get so far as to get the secret from the TOTP app, you can as well back up the entire phone and restore elsewhere, can't you?


No, because phones that lock keys in hardware effectively prevent that, and that works only with hardware that prevents its owners from having full control an doing what they want with their hardware.

"Unextractable keys" works with hardware that you don't "truly own".


What if you truly want the security properties provided by a device which can keep keys in a way where you fully control their use but its extremely hard for anyone to extract them?


I mean case in point, this is exactly what a Yubikey does for people.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: