Banks, email providers, booking sites, e-commerce, basically anything where money is involved, it’s always the same experience. If you use the Android or iOS app, you stayed signed in indefinitely. If you use a web browser, you get signed out and asked to re-authenticate constantly - and often you have to do it painfully using a 2FA factor.

For either of my banks, if I use their crappy Android app all I have to do is input a short PIN to get access. But in Firefox I also get signed out after about 10 minutes without interaction and have to enter full credentials again to get back in - and, naturally, they conceal the user ID field from the login manager to be extra annoying.

For a couple of other services (also involving money) it’s 2FA all the way. Literally no means of staying signed in on a desktop browser more than a single session - presumably defined as 30 minutes or whatever. Haven’t tried their own crappy mobile apps but I doubt very much it is such a bad experience.

Who else is being driven crazy by this? How is there any technical justification for this discrimination? Browsers store login tokens just like blackbox spyware on Android-iOS, there is nothing to stop you staying signed in indefinitely. The standard justification seems to be that web browsers are less secure than mobile apps - is there any merit at all to this argument?

Or is all this just a blatant scam to push people to install privacy-destroying spyware apps on privacy-destroying spyware OSs, thus helping to further undermine the most privacy-respecting software platform we have: the web.

If so, could a legal challenge be mounted using the latest EU rules? Maybe it’s time for Open Web Advocacy to get on the case.

Thoughts appreciated.

  • @mipadaitu
    link
    English
    78 months ago

    A ton of these requirements are due to regulatory requirements for securing access to accounts at the state and/or federal level.

    Requirements are then interpreted by each financial institution and implemented by different teams. It’s most likely due to the fact that a desktop is assumed to be more likely to be a shared device, while a phone/tablet is most likely to be a personal device, which is password/bio-metrics protected.

    As for security around a browser: if you look at how phishing/hacking attacks happen on a desktop computer, if you can be tricked into launching an virus, it can copy all of your browser cookies and login sessions to the attacker, then they can duplicate your browser session. If you have an unlimited login for a financial institution, then they now have a logged in session for your bank.

    https://www.reliaquest.com/blog/browser-credential-dumping/

    So if you add up all that, then they’re more likely to allow long term login sessions on an application that they control than on a desktop/web browser that they don’t.

    • @JubilantJaguarOP
      link
      18 months ago

      Fair enough, but “regulatory requirements” can be a symptom as well as a cause. Bad rules are there for the changing.

      So if you add up all that, then they’re more likely to allow long term login sessions on an application that they control than on a desktop/web browser that they don’t.

      Again, all true. But this is all just probabilistic, as someone else said. A properly secured browser on a locked down machine can be much more secure than an outdated Android stack in the hands of the kind of person who falls victim to scams.

      Here, the effect of “assumptions” is to undermine software freedom and privacy. That feels like a problem that needs a better fix.