alt Hacker NewsNeither TOTP nor HOTP provide "what you see is what you sign" property, unfortunately, which can be critical for bank and other transactions.
"Enter this code only if you want to pay <amount> to <merchant>" is much more secure than "enter your TOTP here", which is a lot like issuing a blank check in comparison (and in fact required by regulation in the EU, for example).
Not even WebAuthN provides that property on a compromised computer; for that, you'd need something like the SPC extension [1] and a hardware authenticator with a small display.
That's unfortunately why we're currently stuck with proprietary bank confirmation apps that can provide it. I really wish there was a vendor-neutral standard for it, but given how push notifications work (or rather don't work) for federated client apps, I'm not holding my breath.
Replies
only system which does it securely is bitcoin cold wallet / offline computer signed transaction
or as you pointed out, signing it on smartcard with keypad reader.
but for login TOTP is better then anything else. i can put it on arduino with small oled board and have it in safe/vault offline.
and there is no way for attacker to MITM, and here lies the problem. companies can not blame you as easily as with currently deployed technologies... they hide breaches all the time, f... PCI
Yeah this is a big problem. I have been sent 2F messages via WhatsApp by some services (e.g. PayPal).
This isn't great, but better then SMS and having to have a separate app for each authenticating service though.
A vendor neutral service would be a lot nicer.