L'idCAT Mòbil no és una bona idea - els EUA ja estan retirant l'autenticació amb SMS
La Seguretat Social americana ja no el fa servir. Per què? Resposta:
Authenticate to a public mobile telephone network using a SIM card or equivalent that uniquely identifies the device. This method SHALL only be used if a secret is being sent from the verifier to the out-of-band device via the telephone network (SMS or voice).
If a secret is sent by the verifier to the out-of-band device, the device SHOULD NOT display the authentication secret on a device while it is locked by the owner (i.e., requires an entry of a PIN, passcode, or biometric). However, authenticators SHOULD indicate the receipt of an authentication secret on a locked device.
An out of band secret sent via SMS is received by an attacker who has convinced the mobile operator to redirect the victim’s mobile phone to the attacker. (sota "Social Engineering")
A malicious app on the endpoint reads an out of band secret sent via SMS; the attacker uses the secret to authenticate. (sota "Endpoint compromise")