I had rooted the phone and it gave me 90 days to reset with no extension at the end. I moved to the co-op bank, which is sufficiently old school that proper web based online banking is very important to them. Their products are a bit less advanced but I don't miss starling.
I largely agree, but I still think there's a compelling argument that blinding the issuer implicitly precludes API gatekeeping or censorship. Sites wouldn't need to pre-register with any issuer, nor could the issuer refuse to provide tokens on the basis of where they'll be used.
The key mitigation is that the protocol - as envisioned - is mediated by the user agent; you as a website cannot silently fire off probes that tell you anything.
could easily be done by malicious JS, an ad script, or the website itself, and then as the RP gets the output of 6.4) email and email_verified claims.
I'm guessing that this proposal requires new custom browser (user-agent) code just to handle this protocol?
Like a secure <input Email> element that makes sure there is some user input required to select a saved one, and that the value only goes to the actual server the user wants, that cannot be replaced by malicious JS.
You'd have to make an authenticated cross-origin request to the issuer, which would be equivalent to mounting a Cross-Site Request Forgery (CSRF) attack against the target email providers.
Even if you could send an authenticated request, the Same Origin Policy means your site won't be able to read the result unless the issuer explicitly returns appropriate CORS headers including `Access-Control-Allow-Origin: <* or your domain>` and `Access-Control-Allow-Credentials: true` in its response.
Browsers can exempt themselves from these constraints when making requests for their own purposes, but that's not an option available to web content.
> I'm guessing that this proposal requires new custom browser (user-agent) code just to handle this protocol?
Correct; which is going to be the main challenge for this to gain traction. We called it the "three-way cold start" in Persona: sites, issuers, and browsers are all stuck waiting for the other two to reach critical mass before it makes sense for them to adopt the protocol.
Google could probably sidestep that problem by abusing their market dominance in both the browser and issuer space, but I don't see the incentive nor do I see it being feasible for anyone else.
The Verified Email Protocol got renamed to BrowserID, and Persona was its reference implementation.
This looks broadly similar to that, but with some newer primitives (SD-JWT) and a focus on autocomplete as an entrypoint to the flow. If I recall correctly, the entire JOSE suite (JWT, JWK, JWE, etc.) was still under active iteration while we were building Persona.
And hey, I applaud the effort. Persona got a lot of things right, and I still think we as an industry can do better than Passkeys.
My understanding from looking into this two years ago is that it's hit or miss for banks (depending on if they opt into device attestation stuff), no for NFC / Google Wallet, and yes for Uber / Lyft.
Apparently the common workaround for the Google Wallet stuff is to pair a GrapheneOS phone with a stock Android smartwatch.
Apparently the common recommendation these days is to use Curve Pay as a virtual card provider on GrapheneOS, which can then route to arbitrary underlying cards. And evidently Google Wallet does work for things that aren't payment cards (airline tickets, transit passes, etc.) on GrapheneOS.
For me, it was the challenge and allure of doing something relatively difficult and rare. The first time I saw a Stop - Prevent Your Death sign[0] at depth, I knew I wanted the training to go beyond it.
It's also really peaceful underground.
Amusingly enough, I can't handle blue-water or wall dives (vertigo), nor wrecks (those aren't supposed to be there!), but caves are no problem. You've got walls, floor, and ceiling as a frame of reference, and everything is nice and cozy. It's like the Earth is giving you a hug.
I found Florida's caves positively delightful at 21 C; never felt the need to dive dry.
I am envious of the speleothems in Yucatán cenotes. Florida's caves are all phreatic, so you don't get any real decoration beyond scalloping. Still fun to dive, just not much to see aside from water, wet rocks, and a line. And not even that if you blow the viz.
21c sounds nice but I know Floridas geology leads to some comparatively deep caves. Most Cenotes range between 15ft-65ft but from what I hear about the Florida landscape is 85ft is average and some caves go past 300ft, which isn’t going to be warm anywhere.
"It doesn’t matter where you or your business is based. The new rules will apply to you (or your business) if the service you provide has a significant number of users in the UK, or if the UK is a target market."
I’m sure that they can write that. But their actual enforcement mechanism is nonexistent. No country is going to work with the UK to arrest someone that does that when the same thing isn’t illegal under their own law.
It does seem like Starling has gone out of their way twice to exempt GrapheneOS from their checks, but only after users complained: https://github.com/PrivSec-dev/banking-apps-compat-report/is...