Remove Bank of America

[holow29]

Site name

Bank of America

Site URL

https://www.bankofamerica.com/

Removal reason

It no longer meets the Passkeys Directory's eligibility criteria.

Additional information

Bank of America does not support passkeys. If you try to add a passkey, it will fail and say, "passkeys are not supported at this time."

Issue Eligibility

• [X] The issue I'm creating is not a duplicate of an existing issue.
• [X] The issue I'm creating is not a duplicate of an existing pull request

[Carlgo11]

Hello @holow29, thank you for taking the time to submit an issue! Labeling banks is always tricky as the security information they give out publicly is often sparse and verifying that they support certain login methods is near impossible without an account with the bank. Therefore, would you mind sharing a bit more information so that we can figure out the best way of labeling BoA?

• Does the Bank of America website give you an option to enroll passkeys? (albeit non-working)
• Are you using a software or hardware passkey solution?
• Are you experiencing this issue when enrolling passkeys for the login 2FA or for "Secure Transfer"?

[holow29]

There is no option to enroll a 'passkey'; the only option is to enroll a security key. I don't think they distinguish between login 2FA and "Secure Transfer." Verbiage used on their site below:

USB Security Key If you want to add additional security for logging in or transferring money, and you don't have a U.S. mobile number or an active debit card, you can register a USB device to verify it's you.

USB – Extra security for higher-value transfers A USB security key plugs into your computer’s USB port and functions as an extra layer of security to increase limits for certain transfer types. They’re an alternative to SMS-based one-time security codes if you don’t have access to a U.S. mobile phone number or can’t receive texts to your phone. How to purchase You can buy USB security keys at many trusted tech retailers and they typically cost $18-$50. Make sure the key you choose is FIDO-certified. How to make transfers When prompted for your USB security key, tap the button on the key already inserted into your USB port, allow the browser to read your device, and continue with your transfer. Once your key is set up, it serves as an extra layer of security for adding transfer recipients to your account and for extra security at login.

Security keys vary by manufacturer. We recommend FIDO® certified keys. Refer to your key's instructions if you have trouble completing registration. Security keys not used for six months will be removed from our system. All security keys must be renewed every three years or they will be deleted from our system. You may save up to 2 security keys. To change the name of the key, select the device name.

When I tried to add a software passkey using Bitwarden, it threw an error on Bank of America's side:

Your security key registration was not successful Make sure your key is FIDO-1 or FIDO-2 certified and is a physical/removable key (passkeys are not supported at this time). Tap the button on your key when you see the prompt to avoid timing out. Verify your key is functioning correctly by using it on other security-enabled websites Use one of these supported browsers: Chrome, Safari, Edge, or Firefox

Given that I doubt it supports CTAP, I don't think it should be in passkey directory, though it could still be in 2FA directory for supporting (what I assume is webauthn) with a physical security key.

[Carlgo11]

Thank you so much for your very detailed report @holow29! I've made a pull request and it. The listing should be updated within a couple of hours (depending on who else is available to approve it)