In the country I live in, most authentication for online banking or authorities (such as tax) is based on an app. It has two operation modes:
Enter personal number on website (the personal number is not secret). Enter PIN code in the app on connected phone.
Use phone scan QR code displayed by website. Enter PIN code in the app.
The app required initial activation using the legacy system (such as a TAN generator), i.e., it is somehow paired with the account. Once the app is installed it is always directly accessible when the phone is unlocked.
While naively one could argue that 1.) is 2FA since it requires having the phone and knowing the PIN, I feel this argument is invalid if we consider malware on the phone?
Operation mode 2.) seems intuitively safer (since it requires scanning a QR code, i.e., physical proximity), but nevertheless I have an odd feeling about it that I cannot pin down. Other common 2FA implementation seems to generally require enter information displayed on the phone on the website, or entering a password on the website rather than in the app?
Questions:
- How safe are these operation modes? Does it count as two-factor authentication?
- Is there anything I can do personally to mitigate some of the risks?