Banks, email providers, booking sites, e-commerce, basically anything where money is involved, it’s always the same experience. If you use the Android or iOS app, you stayed signed in indefinitely. If you use a web browser, you get signed out and asked to re-authenticate constantly - and often you have to do it painfully using a 2FA factor.

For either of my banks, if I use their crappy Android app all I have to do is input a short PIN to get access. But in Firefox I also get signed out after about 10 minutes without interaction and have to enter full credentials again to get back in - and, naturally, they conceal the user ID field from the login manager to be extra annoying.

For a couple of other services (also involving money) it’s 2FA all the way. Literally no means of staying signed in on a desktop browser more than a single session - presumably defined as 30 minutes or whatever. Haven’t tried their own crappy mobile apps but I doubt very much it is such a bad experience.

Who else is being driven crazy by this? How is there any technical justification for this discrimination? Browsers store login tokens just like blackbox spyware on Android-iOS, there is nothing to stop you staying signed in indefinitely. The standard justification seems to be that web browsers are less secure than mobile apps - is there any merit at all to this argument?

Or is all this just a blatant scam to push people to install privacy-destroying spyware apps on privacy-destroying spyware OSs, thus helping to further undermine the most privacy-respecting software platform we have: the web.

If so, could a legal challenge be mounted using the latest EU rules? Maybe it’s time for Open Web Advocacy to get on the case.

Thoughts appreciated.

  • akwd169@sh.itjust.works
    link
    fedilink
    arrow-up
    3
    ·
    edit-2
    6 months ago

    My experience with my two banks has been, with their respective apps, I can sign in with just a password but I get logged out of the app after 10 minutes of inactivity. I never stay signed in. This is two different apps for 2 different banks.

    On the web, they almost always request their crappy 2FA which is via text or email, and I do not stay signed in ever either, as well as being logged out after 10 minutes of activity.

    What irks me is their 2FA, they have no other options besides email or text, the least secure options of all 2FA methods…

    But being signed out everytime, I’m not sure I see it as that much of a hassle, and I kind of appreciate that if someone can unlock my computer or phone, they cannot open my bank account just because I was logged in 30 minutes ago…

    • JubilantJaguar@lemmy.worldOP
      link
      fedilink
      arrow-up
      1
      ·
      6 months ago

      Exactly, the 2FA recourse usually affects browsers and not apps. And comes on top of the password or PIN, rather than replacing it. Which seems like discrimination. And it’s not even secure, as you say.

      This all feels very convenient. Like a subtle form of abuse, in the name of security, to push people away from the only platform where they have any serious chance of privacy.

      The arguments about the insecurity of the browser context have some merit in the aggregate, but in the end all these considerations are relative to the individual user. Which makes the discrimination a form of collective punishment that might have a legal redress.