[Openid-specs-fapi] [Off-topic] Option to disable password authenticaiton among FIs?

[Anders Rundgren]

On 2021-12-09 15:53, Nat Sakimura via Openid-specs-fapi wrote:
> Hi
> 
> This is off-topic for the WG but adjacent and since many of you are well acquainted with the markets, let me ask this.
> 
> Is there an example of Banks and other Financial Institutions that allows users to disable the password authentication so that they wholly can depend on FIDO or other types of SCAs?

I would be surprised if any bank let their users define login security policy.
Swedish banks have never used static passwords.

Regarding FIDO and banks that won't happen in the EU because PSD2/SCA is a done deal and it is usually performed via the mobile banking app which also offers a transaction request display.  The FIDO/W3C folks got it wrong; a payment authorization request needs no challenge, the request serves that purpose.

BTW, Android's WebAuthn solution is not yet ready for prime time; you need discoverable authenticators to not leave users in the dark when/if a cookie expires.

> 
> Not disabling password authentication (i.e., authenticating only with a password) seems to be a security weakness. If you could give me examples of disabling password-only login (I am guessing that is actually banned in EU) in each jurisdiction, it is much appreciated.

Passwords and screen-scraping is probably alive and kicking everywhere where passwords are used.  OTP solutions are reversed engineered :|

Anders


> 
> Best,
> 
> -- 
> Nat Sakimura
> 
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
>