I keep interacting with systems-- like my bank, etc.-- that require (or allow) you to add one or more trusted devices, which facilitate authentication in a variety of ways.

Some services let you set any device as a trusted device-- Macbook, desktop, phone, tablet, whatever. But many-- again, like my bank-- only allow you to trust a mobile device. Login confirmation is on a mobile device. Transaction confirmation: mobile device. Change a setting: Believe it or not, confirm on mobile device.

That kind of makes sense in that confirming on a second device is more secure… That’s one way to implement MFA. But of course, the inverse is not true: If I’m using the mobile app, there’s no need to confirm my transactions on desktop or any other second device, and in fact, I’m not allowed to.

But… Personally, I trust my mobile device much less than my desktop. I feel like I’m more likely to lose it or have it compromised in some way, and I feel like I have less visibility and control into what’s running on it and how it’s secured. I still think it’s fairly trustworthy, but just not categorically better than my Macbook.

So maybe I’m missing something: Is there some reason that an Android/iOS device would be inherently more secure than a laptop? Is it laziness on the part of (e.g.) my bank? Or is something else driving this phenomenon?

  • tal
    link
    fedilink
    English
    arrow-up
    9
    ·
    6 months ago

    As things stand, mobile OSes have some pretty decent out-of-box ways for apps to be isolated. App A can’t fiddle with data private to app B. That Android video game you just downloaded can’t extract data from your web browser or generally fiddle with it.

    Desktop OSes today don’t normally have software install and work like that. Yeah, you can manually set something like that up with containers or VMs, but your typical user isn’t going to do that.