The Convenience Trap: Why Seamless Banking Access Can Turn 2FA into 1FA
51 comments
·July 29, 2025deredede
hn_throwaway_99
Furthermore, these days I enter the passcode on my phone very rarely (Android requires it after restarting the device or after some amount of time) - normally I use biometric authentication.
The linked WSJ article is a bit hyperbolic and typical journalism overreach by calling it an Apple "security vulnerability", which is bullshit IMO. If you watch the interview with the guy in jail, the main method by which he got people's security code is he asked them. That is, he would tell people he had drugs to sell them and wanted to give them info, so he would get their phone and ask them for their code to unlock it.
At least the WSJ report is honest when it says "The biggest loophole: You".
tialaramex
Also in-person theft is both something our civilisation understands and has adapted to, and it does not scale. So it's never going to be a problem the way say password re-use is or many other maladies from the use of "passwords" for online security.
2716057
The issue I'm having with this sort of "something you own and something you know/are" two-factor authentication is that it has some potential to cause violence - both can be beaten out of you: https://www.citizen.co.za/network-news/lnn/article/banking-a...
true_religion
This is true with 1FA too. 2FA is more effective at stopping the case where you're hacked and you don't even know it because your password was in a leak.
Leszek
What can't though?
2716057
A TAN generator or security key stored in a drawer at home. At least it reduces the opportunities for theft since people don't carry these devices with them all the time as opposed to their phones. Opportunity makes the thief.
fakedang
Staying anonymous. For every single multimillionaire or billionaire out there flaunting their wealth, there is another who's equally secretive about it. There are many folks with tens of billions in assets who don't make their wealth part of their brand.
Like that guy in Texas whose estate paid billions in tax when he passed away.
null
alistairSH
For instance on an iPhone, you can register a new face for FaceID if you know the passcode.
I stopped here... at least on iPhone, this doesn't work. When a new face is scanned into FaceId, all apps using that FaceId are supposed to (forced to?) re-authenticate.
Shank
You’re basically correct that apps can use a special mode where they require Face ID to be re-enrolled if anything changes about the credential store. Technically speaking it’s opt-in, but most banking apps use this mode.
jpc0
Shoulder surfing a passcode isn’t failure of two factor back down to a single factor.
This would be the same as shoulder surfing your card pin and then stealing or cloning your card. There were two factors, the attacker just has access to both.
They needed an authenticated app and the pin at that point which is two factors. Because both are related to your iPhone means nothing, both your card’s pin and your card are related to your card and both can be compromised by the exact same attack with the exact same consequences.
AshamedCaptain
On Android at least, even if you know a device's PIN and can add new fingerprints, doing so will cause all apps to reject all future fingerprint authentication attempts (and force you to go through a manual reenrolling process that will require another type of authentication, which depends on the bank).
It makes the conclusions of types 1 and 4 very different.
nerdjon
> Thieves actively exploit this by “shoulder surfing” a victim’s iPhone passcode before stealing the device
If someone is using biometrics how often are they really using their pin that this would at all be a valuable tactic? I very rarely actually need to enter my pin on my phone so this largely seems like a moot point?
Like yeah it is still technically possible but if we really get down to it, if someone were to get learn the pin than passkey is equally worthless since they could also use my phone then to authenticate anything passkey. Fairly surprised that software based passkeys are just skipped here since I doubt most people are using hardware based passkeys, particularly on mobile devices.
I think there is a bigger (not just banking) discussion to be had about what can be done your phone's pin. But with the convenience of biometrics set an actually strong password for your phone instead of a 4 or 6 digit code.
frollogaston
FaceID only works like half the time on me. Really want the fingerprint unlock back. The thing is, to get into Chase, you need my long Chase password OR my Face ID. Can't just use my passcode.
FuriouslyAdrift
I use a PIN to unock because of legal rulings as you cannot be compelled to give your PIN (5th Amendment applies because it's "testimonial") but you can be compelled to use biometrics (5th does not apply).
Individual apps I use biometrics except on reboot if they support that.
pxeger1
This is not a compelling argument that 2FA is reduced to 1FA. You need either: something you have (phone) and something you are (face), OR something you have (phone) and something you know (passcode). In either case, there are still two factors. For a criminal to perform shoulder surfing and theft, more things must go right for them than to do either individually.
wintermutestwin
> something you have (phone) and something you are (face), OR something you have (phone) and something you know (passcode).
Thank you for breaking it down like this. The bottom line is that if you don’t have your phone, you can’t access your accounts. That is a massive risk factor - particularly while traveling. That tells me that passkeys and password managers are not a viable security solution.
rkrisztian
Exactly, your phone can break or get stolen any time. Plus I just don't want to limit myself to a single device.
okanat
Unfortunately in Germany almost all banks force you to use an unmodified phone (so no de-Googled) Android as the 2FA. There are other solutions like code generators but they require extra payment.
zarzavat
Buy an older iPhone for ~$150. Install financial apps on it and don't use it for anything else. Keep it in a safe place, only carry it around if you must.
If you need to manage non-trivial amounts of money through your phone, having a specific device to do that is a no-brainer.
fsflover
If your phone is compromised, a single password entry gives hackers full access. How is this not 1FA?
frollogaston
So the threat model is someone physically stealing your phone and guessing/seeing your password. The #1 proposed solution is a Yubikey. Can't they steal that too?
politelemon
> Passkeys, particularly when bound to a physical security key
And _only_ when bound to a physical security key. Unfortunately by tying into the marketing of passkeys, there is going to be a pervasive assumption that ecosystem/on-device passkeys are just as secure.
Overall a good set of points, and I think it highlights the issues with a lot of the lauded 'convenience' factors in the Apple ecosystem.
Shank
> Unfortunately by tying into the marketing of passkeys, there is going to be a pervasive assumption that ecosystem/on-device passkeys are just as secure.
Passkeys are an improvement over passwords. Security keys have a place for high security applications like enterprise deployments or the security paranoid. Passkeys stored on security keys can be trivially made worse by allowing users to set bad PINs (like 0000). If you use an iPhone and iCloud Keychain, iOS won’t permit you to store or use Passkeys with such an obvious passcode, but a Yubikey 5 will.
frollogaston
I feel similarly, improvement is better than no improvement. So far the evolution of mainstream auth was just password -> email/sms, the 2FA stuff in between was niche. Most sites just want that to be someone else's job, passkey is a simple and robust way to do that, unlike oauth.
sam_lowry_
Passkeys are improvements over passwords in that login/password tuple is replaced by a single string.
Everything else, including hardware tokens, is marketing vendor lock-in.
Shank
A passkey is not a single string? A passkey is a public private key pair where the private key is never sent to a server and signs things.
dguest
I've seen a lot of services (none banks so far) move over to requiring a One Time Password in addition to a password or private key as a way to get "2 factor authentication".
Problem is, people catch on that with some `expect` scripting and a few open source packages you can still just automate it to be 1 factor, just adding a bit more complexity to eventually leak the user's credentials.
deredede
If people need "`expect` scripting and a few open source packages [to] automate it to be 1 factor", it is effectively 2 factor for 99.9% of the population.
Also, if someone uses a password manager to store both the password and the OTP credential, that is still an improvement to security. Intercepting (e.g. shoulder surfing) or guessing the password is no longer enough, an attacker needs to get into the password manager's vault.
null
awhitby
This makes some good points. Slightly off its main topic, can iOS or an app treat Face ID and passcode auth differently, or are they completely unified?
For example, it would make a lot of sense to treat them differently for Apple Pay fraud detection, since passcode + device compromise seems a lot more likely in the real world than compelled Face ID.
Edit: there's a newish feature, Stolen Device Protection, that works along these lines - https://support.apple.com/en-us/120340
mindslight
I realize this post is on a .ch domain, but in a US context "2FA" is a complete anti-feature. As a bank customer, the most important thing you can do to secure your account is to promptly check for unauthorized transactions. Anything that increases the friction to regularly logging in thus makes it harder to maintain your own security.
The article starts with this description of 2FA:
> an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more distinct types of evidence (or factors) to an authentication mechanism.
and concludes with (emphasis mine):
> For the average user, the smartphone has become a single point of failure, where the theft of one device and one piece of knowledge (the passcode) can lead to total financial compromise.
Looks like 2FA to me, not 1FA.