Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
techcode 3 days ago

In The Netherlands I wouldn't be able to login to any government or adjecent websites (e.g. portal of my local health center/GP, health insurance, retirement/pension insurance) without a smart phone running DigiD app for 2FA.

The non-EU Serbia has the equivalent app, but also you might be able to get individual/personal e-certificate (for logging into e-government or signing e-documents) added into smart card chip of your ID. But in practice it seems thats only used for business purposes, like CEO/Accountants/etc to sign/submit business records/taxes.

tmtvl 3 days ago | parent | next [-]

In Belgium the eID software runs on GNU/Linux, so I can log in to government websites using my ID card and a card reader. In my experience it even works better on GNU/Linux than on MS Windows.

It's one of the only things that Belgium does right.

closuregarden 3 days ago | parent | prev | next [-]

The DigiD app isn't required. You can log-in with DigiD using SMS 2FA. This is what I currently do, because I don't want to install closed-source software on my device.

mcv 3 days ago | parent | prev | next [-]

DigiD used to work fine without an app. I think it still does, because I have to explicitly select using the app to log in.

exceptione 3 days ago | parent | prev [-]

Dumb phone works as well with sms verification.

techcode 2 days ago | parent [-]

I used to work for a GSM messaging gateway/SMSC. And seeing first hand how most of those SMS messages (2FA, password reset, bank transaction/balance ...etc) are usually routed (sure over SSL but stored/forwarded as unencrypted GSM packets) through several different companies around the world - before reaching your mobile operator ...

And on top of that you add stuff like sim cloning, and all the other things that one gets by having a direct SS7 connection (there were blog posts/YouTube videos - IIRC Linus Tech Tips calls/SMS got routed to Australia).

Using SMS for 2FA or anything similar is my last resort.

Granted I stopped working there 15+ years ago - but I imagine that the basic economy reasoning where it's impractical for every mobile operator to have a direct peering contract with every other operator in the world - is still the same.

And messages originating from non mobile users/operators (like DigiD 2FA) always start at one of these messaging gateways/SMSCs (e.g. InfoBip.com), and often go through a few different ones before reaching your mobile operator.