From: nospam@needed.invalid   
      
   On Thu, 9/4/2025 3:50 PM, bad sector wrote:   
   >   
   >   
   > My bank 'accepts' the use of a verification code sent to a smartphone   
   > as ONE of several optional ways to establish MFA, it also offers to   
   > prompt me instead for my response to a random one of many code prompts   
   (stored on their server), etc. I think the second method is superior because   
   its reliability rests on a large institutional security infrastructure and NOT   
   something as vulnerable    
   and as totally unreliablde as my phone or traffic moving through it.   
   >   
   > Now another outfit I deal with INSISTS that I accept the smartphone   
   > method OR ELSE and will not accept that for all intent and purpose my   
   > phone is only for the use of my family and will NOT be made available   
   > to them and that even if they do get a hold of it they will much more   
   > likely be blacklisted instead of receiving any response.   
   >   
   > A surprise in this chain of events (surprise to me because it's my   
   > first involvement with the 'requirement or else' arrogance) is that   
   > while initially trying to set up the establishment of whatever MFA   
   > dialog might await a few clicks later on their web-site I saw _my_   
   > browser-traffic routed to 'login.microsoftonline.com', a red flag if I   
   > ever saw one.   
   >   
   > Any wisdom out there that might either dissipate this stench or clarify   
   > how it might be handled? I don't think "I" need MFA but maybe there is   
   > a use for it; I certainly don't feel good about ever having microcancer   
   > in possession of any of my data be that a phone number or the time of   
   > day.   
   >   
   > TIA   
      
   Could you use a FIDO stick ? Some of them have a push button,   
   and the stick works off a USB port. You push the button and it   
   generates a code locally (didn't read the article, maybe by PKI?)   
   and that flows through the web session to your organization. There   
   are other biometric methods available, but if you Google   
   for a merchant to sell you one, the types offered could be   
   limited. When you get a stick, buy a short USB extension cord,   
   so the USB metal connector, does the plugging and unplugging,   
   not the stick connector (which should stay affixed to the extension).   
   The FIDO sticks do not have particularly robust construction.   
   That's why you're using an extension cable.   
      
      https://en.wikipedia.org/wiki/FIDO_Alliance   
      
   Only a few organizations have mastered how to do this.   
   The VA in the USA, use it, or have an option to use it.   
   Google and Microsoft, also know FIDO sticks.   
      
   It is supposed to be an alternative to 2FA, which your opponent   
   seems to want. And it would allow a person without a phone,   
   to authenticate. You buy two sticks, set up both sticks, and   
   if one stick fails (you lose it), the second stick could   
   be used to bootstrap the setup of a third stick or whatever.   
   You keep the second stick in your sock drawer.   
      
   Otherwise, your bank surprise domain of login.microsoftonline.com   
   is no different than their "love of Internet Explorer" back in   
   the day. And to demonstrate how "with it" the clever bank IT   
   people are, when Microsoft has delivered Internet Explorer 11,   
   you set up the banking web page so it only works with   
   Internet Explorer 10 (the web page doesn't work for all IE,   
   just the one specific version). Which of course, sends the customers   
   into a tizzy.   
      
   So really, tying a Microsoft/Bing/MSA type login, into the mix,   
   that's "just another day at the bank" really. They consider   
   their "Microsoft Love" to be a "normal" kind of kink. You would   
   think they would check the UserAgent sent by your browser, and,   
   um, not do that. Or maybe it is a subtle way of saying "heh,   
   we only support Windows here at the ranch".   
      
      Paul   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)