Ok, goofballs at RSA SECURID. How hard is it to modify the algorithm so the one-time-pad skips any number that looks valid upside down? I know, I know, there are a lot of those ona 7-segment display.
If ∃ proof that OTP is insecure if such numbers are eliminated, I'll shut up.
To their credit, there is a ¼ segment flashing at the far bottom right to indicate that's the bottom, but as a dyslexic I can never remember if it's supposed to be at the top left or the bottom right. Plus it's small.
… aaaand in the time it took me to write the above 500 chars, grab a beverage, & move a load of laundry forward, the bank logged me out — forcing my 5th round of 3FA today!
Is there a security study that investigates constantly logging people out when they are in known secure locations vs. redoing auth (as latter gives attackers more chances to figure out & possible catch {2,3}FA information.
ISTR studies showed changing passwords that weren't compromised made security worse? Is that right?
@bkuhn At this point I'm willing to compromise and provide a seat to PC interface. It can log me out every time I actually stand up, but otherwise leave me be. What drives me bonkers at the moment is not being able to stay logged in long enough to do the job(s) I logged in for even with full attention -- ie reconciliations of bank statements against books, or anything that requires going back and forth or gathering info. I cope partly by printing out statements, which has its own risks.
@bkuhn As usual, the Onion is on it https://theonion.com/study-97-of-average-americans-day-spent-retrieving-6-digit-codes/
@johns also our old bank, for like 3 months, upon auto logout sent you to a broken relog in screen that was for a different online banking platform we didnt have an account on.