Mastodawn

Felipe Cepriano May 14, 2025

From what I’ve learned, banks care deeply about the account security of their users, but are:
- beholden to regulations that aren’t perfectly aligned with practical interests and are a generation of “best security practices” behind
- organizations that move slowly and deliberately

I think that banks will eventually catch up here. The phishing resistance of passkeys is genuinely too good to pass up on. Wells Fargo recently announced that they will be rolling out passkeys to their users, which delighted me. https://www.wellsfargo.com/help/security-and-fraud/passkey-faqs/
https://appdot.net/@jgordon/114506574656680761

Passkey Questions | Wells Fargo

Find answers to common questions about passkeys.

Show thread

Garrett May 14, 2025

@rmondello @jgordon My local bank actually used to support passkeys, but in redesigning their website they got rid of that option. I was confused, to say the least.

Show thread

Jackson May 14, 2025

@rmondello I'm interested in my bank supporting Passkeys instead of SMS or proprietary app based 2FA. I understand building slowly and cautiously.

But Mint and similar services have existed for almost two decades? Why can't I generated a read-only access key to use with them instead of the master set of credentials.

I don't think the industry is striking the right balance for how people are using their services.

Show thread

David Nelson May 15, 2025

@rmondello @jgordon I recently discovered BofA supports hardware keys, but to enroll you have to call their 800 number to get some kind of verification code first. I’ve tried several times and never managed to get to the right place in their phone the to make this happen. It’s absolutely bonkers that they gate their best security option behind this ridiculous process. Meanwhile my local credit union actually supports TOTP. It’s not my favorite option but at least it works.