home | list info | list archive | date index | thread index

2FA on same device as application that is to be secured?

  • Subject: 2FA on same device as application that is to be secured?
  • From: Nash JC - NCF <nashjc [ at ] ncf [ dot ] ca>
  • Date: Mon, 14 Jul 2025 18:37:57 -0400
I noticed that CIBC/Simplii announced that my email (with NCF) isn't from a "company or
educational institution" so could not be used for 2FA codes. I haven't actually used that,
preferring SMS or the 2FAS authenticator. When I contacted them, they now say NO email
for sending such codes. They are wanting people to use push notifications, which I can
see as a useful tool for some people, depending on their connectivity status.

In email exchanged, I get the feeling they recommend setting up push to the SAME device
where their banking app is installed.

Am I missing something, or is this a really stupid idea? I've always considered the
central idea of 2FA is to have at least 2 completely independent channels for verification.

I note RBC makes a (very slight) mention of an "alternative" device. TD even has a separate
2FA authenticator app. I suspect a time-based one. They hint at separate device. However,
I really think there's a lot of playing footsy with security in the web pages.

JN


To unsubscribe send a blank message to linux+unsubscribe [ at ] linux-ottawa [ dot ] org
To get help send a blank message to linux+help [ at ] linux-ottawa [ dot ] org
To visit the archives: https://lists.linux-ottawa.org