I keep interacting with systems-- like my bank, etc.-- that require (or allow) you to add one or more trusted devices, which facilitate authentication in a variety of ways.

Some services let you set any device as a trusted device-- Macbook, desktop, phone, tablet, whatever. But many-- again, like my bank-- only allow you to trust a mobile device. Login confirmation is on a mobile device. Transaction confirmation: mobile device. Change a setting: Believe it or not, confirm on mobile device.

That kind of makes sense in that confirming on a second device is more secure… That’s one way to implement MFA. But of course, the inverse is not true: If I’m using the mobile app, there’s no need to confirm my transactions on desktop or any other second device, and in fact, I’m not allowed to.

But… Personally, I trust my mobile device much less than my desktop. I feel like I’m more likely to lose it or have it compromised in some way, and I feel like I have less visibility and control into what’s running on it and how it’s secured. I still think it’s fairly trustworthy, but just not categorically better than my Macbook.

So maybe I’m missing something: Is there some reason that an Android/iOS device would be inherently more secure than a laptop? Is it laziness on the part of (e.g.) my bank? Or is something else driving this phenomenon?

  • Emotet@slrpnk.net
    link
    fedilink
    arrow-up
    14
    ·
    6 months ago

    To add to this:

    We have to differentiate between physical and cybersecurity.

    Are you more likely to physically lose your smartphone you carry around with you all day than your full ATX desktop standing in your office? Yeah.

    But let’s consider the consequences for a moment.

    If someone physically stole your desktop, chances are that at least a part of your data isn’t encrypted, the boot sequence probably isn’t (at least completely) verified, and your OS is wide open. There is little to no real isolation in most desktop setups. Once somebody managed to gain access to your system, it is outright trivial to steal your browser sessions, modify commands or run some code, at least in userland.

    Physically stealing your smartphone is easy. But a modern smartphone is usually protected by verified boot and a password+fingerprint/Face ID combo. Unless you take active steps to compromise the security of the phone like rooting/jailbreaking it, disabling verified boot or disabling the passcode, it’s pretty hard if not near impossible to gain access to your data or modify it in a harmful way. If you visit an infected site or install an infected app, the damage is usually confined to that app’s data and the data accessible to it by permissions you probably had to allow to be set in the first place.

    Now that’s speaking to your usual bad actors and usual setups. Exceptions, as always, make the rule. As soon as a sufficiently motivated and technically able actor with access to 0-day exploits, like a state actor, targets you for some reason, all bets are off. But even in this case, due to the advanced verified boot chain on most modern smartphones, those exploits rarely have the ability to survive beyond a reboot.