Categories: Security

There has recently been a strong trend towards forcing the use of a modern mobile phone for authenticating to online banking.

I’ve been rather cautious about this, and currently use a dedicated “tan generator” device which my bank reluctantly offers as an alternative. The principal problem I have with using an application on a phone as an authentication mechanism is:

• a phone typically has many other apps installed on it, and
• phone operating systems have security holes (eg android and iphone)

However it appears that things are improving in this area, at least with the Android mobile OS: Android’s Trusted Execution Environment, Strongbox API, and phones with embedded security chips (eg Google’s Pixel3) make rogue apps (even with root-level access) far less of a problem.

Update 2019-12-07: Android vulnerability used to drain bank accounts