Frank Slootweg <this@ddress.is.invalid> wrote:

> VanguardLH <V@nguard.lh> wrote:
>> Frank Slootweg <this@ddress.is.invalid> wrote:
>>
>>> And as AJL mentioned, the '2FA hoopla' is *less* with a smartphone,
>>> because for most services, you only do the 'hoopla' only *once* per
>>> service. (Some services also offer 'only-once' 2FA for non-phones, i.e.
>>> computers/laptops. Google (account/Gmail/others?) is an example.)
>>
>> Yep, as I noted, for phone users 2FA is less a nuisance. They're
>> getting the 2FA code on the same device where they are trying to login.
>
> Nope, also when logging in on their computer. Yet another example of
> you not knowing what you're talking about, but still critizing,
> complaining, etc..

Yes, that makes you feel comfortable. It just must be me, instead of
you ignoring the nuisance.

Let's make the scenario very simple. WITHOUT A PHONE, how am I to
complete the 2FA login? C'mon, give me an answer instead of pretending
it's my fault.

> Get a clue, will you!? Note the emphasis ('If*'). It's irrelevant
> whether you like it or not.

Wrong. It is relevant ... TO ME! Geez, get over yourself.

> As you have a smartphone,

Wrong again. I won't always have a smartphone with me wherever I'm
trying to login on a desktop/laptop/notebook. I've already given the
scenarios of lost phone, broken phone, stolen phone, dead battery, and I
can go on, but oh-no that would never happen. Uh huh. You might have
your phone grafted to you. I don't. At home, I have to go get my
phone, so, yes, that's a nuisance. At work, I don't need my phone
there, so often I don't take it with me. On vacation, I might get a
burner to use at that time instead of risking my far more expensive
phone, but the site is going to call the number for my expensive phone,
not the temporary burner. Unlike you and others here, I am *not* tied
to my phone, so, yes, I will encounter scenarios that you may not.

In the above scenario proposing that a phone is not available for
whatever reason, give solutions on how to complete the 2FA login.

I did contact my bank, and their 2FA scheme is oriented to their
customer having a phone available at the computer where they login.
That's not me, even at home. They did mention trying the Authy app on
my desktop PC, but I'll have to investigate how that works.

They also mentioned they will coming out with a passkey scheme, it will
replace 2FA, but they don't have any info to give out yet.

VanguardLH <V@nguard.LH> wrote:

> I did contact my bank, and their 2FA scheme is oriented to their
> customer having a phone available at the computer where they login.
> That's not me, even at home. They did mention trying the Authy app on
> my desktop PC, but I'll have to investigate how that works.

Okay, tried the Authy app on my Windows 10 desktop PC. It's okay, but
not great.

With the Authy app on my Windows desktop, I can eliminate tying my phone
to my desktop PC. It isn't a smooth operation. Took away to find
settings in my bank account that specify the Authy app was the primary
authenticator endpoint. However, to work means I have to load the Authy
program manually. It does not run in the background. It runs only in
the foreground, so I have to load it to get the 2FA token to complete
the bank login web form. With Authy constantly running in foreground, I
can minimize it but it occupies a slot on the Windows Taskbar (because
it is running). No option to move to system tray to show as a tray icon
when I'm not using it. The 2FA token expires in 20 seconds, so I have
to be quick mostly because it may not be running, so I have to load it.

When I get to adding multiple accounts to Authy, it will be confusing
which site to pick to get the token. Maybe the naming of accounts will
be obvious. I cannot rename the accounts. If I had 2 accounts at the
same bank, I wouldn't know which token account to look in. I'd have to
try tokens from both same-name accounts to see which was accepted by the
bank's login web form. When the Authy app is loaded (running in
foreground) before I log into my bank's web site, a popup appears
showing a new token was issued. I can click on the popup notification
to show the related account in the Authy app. So, I'll have to remember
to load Authy before I login at the bank site. Just wish Authy would
run in the background minimized to a tray icon. I don't want it
occupying a slot in the Windows Taskbar all the time, but I'd prefer the
Authy app was ready and waiting instead of me having to remember to load
it before hitting a login page using 2FA.

I have to copy the 2FA code from the Authy program into the login web
form. I was concerned about security of having security tokens in the
Windows clipboard, but the tokens expire in 20 seconds. Any in the
clipboard cache would be unusable in a later bank web session.

Yes, there are other authenticator apps, but my bank says they only work
with Authy. Still, it's better than leaving my desktop PC to hunt down
my phone, turn it on or have to charge it for awhile if it was left on,
get back to my desktop PC, and finally complete the login. I'll have to
work on how to get Authy loaded but as a tray icon instead of a taskbar
button.

Also, the "install" did not add a tile to the Start Menu, only to the
desktop. I pinned the desktop icon to the Start Menu (the tiles on the
right of the Start Menu), but was surprised there was no entry for Authy
in the Start Menu itself (the listing, not the tile section).

Interesting how I'm the one everyone here calls an idiot for not
understanding 2FA (which is evidentally not the case since I described
when it will work, when it is a nuisance, and when it is a big nuisance
by grafting a phone to a desktop PC). Also interesting is that none of
those calling me an idiot even mentioned trying an authenticator app on
my desktop.

VanguardLH wrote:
> VanguardLH <V@nguard.LH> wrote:

[snip]

So far as I can see there is no good solution.

The different options are:

1. Username/password only: can be abused from anywhere by somebody
knowing them.

2. Add "PINSentry" card reader. Needs the account to be associated with
a card - so where necessary banks have issued cards simply for
authentication purposes. Needs a card reader, but this can be kept with
the computer. Potentially available anywhere (e.g. in a store where you
make a purchase, where there could be a card reader). Difficult for
users suffering tremors or similar which make it difficult to operate
the small keypad, but probably people with this affliction would have
difficulty using a computer as well. Abuser also needs to know your PIN.
Arguably if abuser already has your username & password then (s)he
also has your PIN.

3. Alternatively add 2FA. Needs a working mobile phone within easy
reach (difficult for all the reasons cited). Mobile phones can be
stolen, either physically or by the abuser persuading the phone company
to issue a new phone on the victim's account - given the lower level of
security generally used by the phone company as has been widely reported.

So you have to limit your transactions to those which don't require a
computer and internet connection.

Go in person the bank? In my case a 26-mile round trip, and this is
relatively civilised Britain!

Only ever use cash? This would have been common only 50 years ago.

Don't have a bank account? A criminal working inside the bank cannot
then steal your money.

--
Graham J

Graham J wrote:

> Alternatively add 2FA.  Needs a working mobile phone within easy reach

Not necessarily, it could be done using a TOTP/HOTP token.

Andy Burns wrote:
> Graham J wrote:
>
>> Alternatively add 2FA.  Needs a working mobile phone within easy reach
>
> Not necessarily, it could be done using a TOTP/HOTP token.

OK that helps where the abuser logs in from elsewhere knowing the
username & password, because the TOTP token is only present on the
authenticated computer.

But if the computer used to log into the bank accounts is in fact a
smartphone and is already in the hands of the abuser it doesn't help at
all, as was discussed at length in an earlier post.

The token can be physical - like a dongle - or it can be built into a
credit card, for example:

<https://cpl.thalesgroup.com/access-management/authenticators/safenet-otp-display-card>

.... which I think I have seen integrated into a charge/credit card.

An abuser who knows the PIN and steals your card still breaks this.

--
Graham J

Graham J <nobody@nowhere.co.uk> wrote:
> VanguardLH wrote:
> > VanguardLH <V@nguard.LH> wrote:
>
> [snip]
>
> So far as I can see there is no good solution.
>
> The different options are:
>
> 1. Username/password only: can be abused from anywhere by somebody
> knowing them.
>
> 2. Add "PINSentry" card reader. Needs the account to be associated with
> a card - so where necessary banks have issued cards simply for
> authentication purposes. Needs a card reader, but this can be kept with
> the computer. Potentially available anywhere (e.g. in a store where you
> make a purchase, where there could be a card reader). Difficult for
> users suffering tremors or similar which make it difficult to operate
> the small keypad, but probably people with this affliction would have
> difficulty using a computer as well. Abuser also needs to know your PIN.
> Arguably if abuser already has your username & password then (s)he
> also has your PIN.

In The Netherlands, we've had card-based hardware TOTP (Time-based
one-time password) generators for a very, very long time (quick check:
at least since 2008, but probably much, much longer).

The card (mostly debit) can be used for online banking transactions,
paying in a shop, getting money from an ATM, online purchases,
contactless/PIN-less payments (less problems with tremor), etc., etc..
The debit card is fully protected against loss/theft/etc..

> 3. Alternatively add 2FA. Needs a working mobile phone within easy
> reach (difficult for all the reasons cited). Mobile phones can be
> stolen, either physically or by the abuser persuading the phone company
> to issue a new phone on the victim's account - given the lower level of
> security generally used by the phone company as has been widely reported.

"PINSentry" *is* 2FA, but I understand what you mean, add an
*alternative* 2FA or 2SV) method.

Yes, a 'dumb'/'feature' phone using SMS for 2SV is not totally fail-
safe, nor totally secure. With the right precautions, a smartphone - and
apps on it - can be quite secure.

[Left for completeness, as I don't quite understand what you're getting
at:]

> So you have to limit your transactions to those which don't require a
> computer and internet connection.
>
> Go in person the bank? In my case a 26-mile round trip, and this is
> relatively civilised Britain!
>
> Only ever use cash? This would have been common only 50 years ago.
>
> Don't have a bank account? A criminal working inside the bank cannot
> then steal your money.

VanguardLH <V@nguard.lh> wrote:

[More of the same endless, uninformed, misguided footstamping deleted.]

> I did contact my bank, and their 2FA scheme is oriented to their
> customer having a phone available at the computer where they login.
> That's not me, even at home. They did mention trying the Authy app on
> my desktop PC, but I'll have to investigate how that works.

See!? Works much better when you ask/investigate, instead of endless
whining, doesn't it!?

And as to your sick complaint elsewhere that we didn't mention
authenticator apps: We *did* mention that many (most?) services often
offer several different 2FA/2SV mechanisms. But did you pay attention?
No, you kept going on and on how all this is such a nuisance for poor
little 'VanguardLH'.

> They also mentioned they will coming out with a passkey scheme, it will
> replace 2FA, but they don't have any info to give out yet.

Yes, experts seem to agree that passkeys are the best solution for the
current password mess. Only few services offer/use it yet, but it
probably/hopefully will grow.

Graham J <nobody@nowhere.co.uk> wrote:
> Andy Burns wrote:
> > Graham J wrote:
> >
> >> Alternatively add 2FA.  Needs a working mobile phone within easy reach
> >
> > Not necessarily, it could be done using a TOTP/HOTP token.
>
> OK that helps where the abuser logs in from elsewhere knowing the
> username & password, because the TOTP token is only present on the
> authenticated computer.
>
> But if the computer used to log into the bank accounts is in fact a
> smartphone and is already in the hands of the abuser it doesn't help at
> all, as was discussed at length in an earlier post.

Nope. As mentioned, the smartphone is locked and the relevant apps on
the phone are locked. That's the whole point these days, you might lose
the phone *itself*, but the information *on* it can't be abused by a
culprit.

> The token can be physical - like a dongle - or it can be built into a
> credit card, for example:
>
> <https://cpl.thalesgroup.com/access-management/authenticators/safenet-otp-display-card>
>
> ... which I think I have seen integrated into a charge/credit card.
>
> An abuser who knows the PIN and steals your card still breaks this.

Yep, that's what 2FA is all about, two factors, something you have
(the card) and something you know (the PIN).

Frank Slootweg wrote:

[snip]

>
> [Left for completeness, as I don't quite understand what you're getting
> at:]
>
>> So you have to limit your transactions to those which don't require a
>> computer and internet connection.
>>
>> Go in person the bank? In my case a 26-mile round trip, and this is
>> relatively civilised Britain!
>>
>> Only ever use cash? This would have been common only 50 years ago.
>>
>> Don't have a bank account? A criminal working inside the bank cannot
>> then steal your money.

My point was to show that alternatives to the current 2FA/2SV schemes
are for most people ***even less*** convenient.

There are people with physical disabilities or infirmities for whom any
2FA/2SV schemes would be impractical. The banks have had real
difficulty in serving such customers. Some banks don't even understand
a Power of Attorney.

This will all be irrelevant after the Russians start nuking Ukraine.

--
Graham J

Frank Slootweg <this@ddress.is.invalid> wrote:

> VanguardLH <V@nguard.lh> wrote:
>
> [More of the same endless, uninformed, misguided footstamping deleted.]
>
>> I did contact my bank, and their 2FA scheme is oriented to their
>> customer having a phone available at the computer where they login.
>> That's not me, even at home. They did mention trying the Authy app on
>> my desktop PC, but I'll have to investigate how that works.
>
> See!? Works much better when you ask/investigate, instead of endless
> whining, doesn't it!?

See, works much better not to rely on anyone here, so far, in coming up
with a solution. Also, the Authy app has some nuisances of its own.
All it did was eliminate tying the phone to my desktop which was the
biggest nuisance, but still has its own smaller nuisances that I'm still
trying to circumvent, like: no startup with Windows, won't run minimized
to a systray icon, can't tell with multiple accounts at the same bank
which token to use in Authy (they all get the same name, and the user
cannot rename them). Still, it's better than going to the other end of
the house to retrieve my phone only to find its battery is dead.

> And as to your sick complaint elsewhere that we didn't mention
> authenticator apps: We *did* mention that many (most?) services often
> offer several different 2FA/2SV mechanisms.

Ah, the oh-so-detailed "other mechanisms" response. Like idiots that
say "It's this, or something". Well, yeah, "or something" covers
everything else.

> No, you kept going on and on how all this is such a nuisance for poor
> little 'VanguardLH'.

Yep, a nuisance to me. Sorry, but you and I do not mandate experiences
for everyone. If I felt it was a nuisance, so do others. If you
consider the nuisance as trivial (which still means it is a nuisance),
then so do others.

>> They also mentioned they will coming out with a passkey scheme, it will
>> replace 2FA, but they don't have any info to give out yet.
>
> Yes, experts seem to agree that passkeys are the best solution for the
> current password mess. Only few services offer/use it yet, but it
> probably/hopefully will grow.

Alas, what I got out of the bank rep was their passkey approach will
incorporate biometrics. So, I'd have to buy more hardware (fingerprint
reader) to encompass that security method. If you've read the reviews
on fingerprint readers, lots of users have problems with getting them to
work, like it takes several tries before their fingerprint is matched,
and some protocols sites use are not supported. Retinal scan and voice
are other biometrics. Oh joy, more hardware to buy. Sorry, my computer
is not the property of others to decide at their whim how much more
hardware I have to buy.

VanguardLH <V@nguard.lh> wrote:
> Frank Slootweg <this@ddress.is.invalid> wrote:
>
> > VanguardLH <V@nguard.lh> wrote:
> >
> > [More of the same endless, uninformed, misguided footstamping deleted.]
> >
> >> I did contact my bank, and their 2FA scheme is oriented to their
> >> customer having a phone available at the computer where they login.
> >> That's not me, even at home. They did mention trying the Authy app on
> >> my desktop PC, but I'll have to investigate how that works.
> >
> > See!? Works much better when you ask/investigate, instead of endless
> > whining, doesn't it!?
>
> See, works much better not to rely on anyone here, so far, in coming up
> with a solution.

Indeed, why stop lying when it worked so 'well' sofar? And never mind
that it's a tad hard to come up with a solution when no specific
problem has been presented.

[Repeat of earlier whines deleted.]

> > And as to your sick complaint elsewhere that we didn't mention
> > authenticator apps: We *did* mention that many (most?) services often
> > offer several different 2FA/2SV mechanisms.
>
> Ah, the oh-so-detailed "other mechanisms" response. Like idiots that
> say "It's this, or something". Well, yeah, "or something" covers
> everything else.

Misrepresenting what actually transpired didn't work very well sofar.
What makes you think that it'll work now?

> > No, you kept going on and on how all this is such a nuisance for poor
> > little 'VanguardLH'.
>
> Yep, a nuisance to me. Sorry, but you and I do not mandate experiences
> for everyone. If I felt it was a nuisance, so do others. If you
> consider the nuisance as trivial (which still means it is a nuisance),
> then so do others.

I/we do not consider it a 'nuisance' at all, because it's *needed* and
- as said several times before - often a *one-time* thing per device.
(Obviously not for banking transactions (your only specific example
which didn't come up until (too) late in the thread)).

Is it a 'nuisance' that I have to use my keyboard to compose this
message?

> >> They also mentioned they will coming out with a passkey scheme, it will
> >> replace 2FA, but they don't have any info to give out yet.
> >
> > Yes, experts seem to agree that passkeys are the best solution for the
> > current password mess. Only few services offer/use it yet, but it
> > probably/hopefully will grow.
>
> Alas, what I got out of the bank rep was their passkey approach will
> incorporate biometrics.

Doesn't your bank offer a (hardware) TOTP generator?

As I mentioned in my response to Graham, we've had them since at least
2008 and probably much, much longer. We had them ever since 'internet
banking' was introduced. So I *use* extra hardware, but I do not have to
*buy* that hardware.

> So, I'd have to buy more hardware (fingerprint
> reader) to encompass that security method. If you've read the reviews
> on fingerprint readers, lots of users have problems with getting them to
> work, like it takes several tries before their fingerprint is matched,
> and some protocols sites use are not supported.

My experience with the fingerprint readers on our (Samsung) phones has
been very good. Occasionally it needs another attempt, but not often,
and it's hardly a nuisance! :-)

My 'new' laptop also has a fingerprint reader, but I've not yet
bothered to try it. No need, yet.

> Retinal scan and voice
> are other biometrics. Oh joy, more hardware to buy. Sorry, my computer
> is not the property of others to decide at their whim how much more
> hardware I have to buy.

As said several times before, there are and probably will be several
options for most if not all services. But yes, at some time you probably
'have' to buy extra hardware, just like you 'had' to buy/have a computer
in order to use online banking.

Frank Slootweg <this@ddress.is.invalid> wrote:

> VanguardLH <V@nguard.lh> wrote:
>> Frank Slootweg <this@ddress.is.invalid> wrote:
>>
>>> VanguardLH <V@nguard.lh> wrote:
>>>
>>> [More of the same endless, uninformed, misguided footstamping deleted.]
>>>
>>>> I did contact my bank, and their 2FA scheme is oriented to their
>>>> customer having a phone available at the computer where they login.
>>>> That's not me, even at home. They did mention trying the Authy app on
>>>> my desktop PC, but I'll have to investigate how that works.
>>>
>>> See!? Works much better when you ask/investigate, instead of endless
>>> whining, doesn't it!?
>>
>> See, works much better not to rely on anyone here, so far, in coming up
>> with a solution.
>
> Indeed, why stop lying when it worked so 'well' sofar? And never mind
> that it's a tad hard to come up with a solution when no specific
> problem has been presented.

Lying is intentional. Being mistaken is not. I've never proclaimed to
be God. Please give the MID of whomever's article mentioned using an
authenticator app.

> I/we do not consider it a 'nuisance' at all, because it's *needed* and

Your opinion. There will others that share your opinion. Not here but
elsewhere when I've discussed this, other users also consider it a
nuisance to tie a phone to a computer (where the computer is not a
phone). I'm sure you would like the skew the opinions to match that of
your own. Regardless of your impugned insults, yep, it is a nuisance to
me. Even little ol' you admit it's a nuisance, but dismiss it as
necessary. Uh huh, let's make logins more secure by using an insecure
and nonencrypted communications venue without guaranteed delivery (SMS).

> - as said several times before - often a *one-time* thing per device.

That was when someone discussed how it worked on their phone, but gave
no specifics on just what was saving the 2FA tokens. That scenario of
getting 2FA codes on the same phone where you are trying to login was
*NOT* my scenario of tying a phone to a desktop PC.

> Is it a 'nuisance' that I have to use my keyboard to compose this
> message?

Only because you're as obstinate as I.

> Doesn't your bank offer a (hardware) TOTP generator?

Nope. 2FA or passkey, the later of which incorporates biometrics, so
I'd have to buy new hardware. They don't support USB security keys,
either, but that also means buying more hardware.

> My experience with the fingerprint readers on our (Samsung) phones has
> been very good. Occasionally it needs another attempt, but not often,
> and it's hardly a nuisance! :-)

Again, you're focusing on the wrong scenario: logging on using phones to
get the 2FA code on the same phone. I already admitted that while that
is still a nuisance, that it is a little nuisance. My scenario was 2FA
sucks when logging in on a desktop PC and having to tie my phone to my
computer to complete the login.

What happens when you don't get the 2FA code on your phone (to complete
the login on your desktop PC)? SMS delivery is not guaranteed. The
site might've not generated the text successfully (some failure on their
end). You're stuck at the login with no means to complete it. Maybe
that doesn't happen a lot to you, but my experience is there is a good
chance that I'll have to ask the site to resend (another but different
2FA code). Then I wait again, and try again, and after a few times give
up on getting the 2FA, and surrender to not getting logged in hoping the
site recognizes the problem and fixes it.

> My 'new' laptop also has a fingerprint reader, but I've not yet
> bothered to try it. No need, yet.

Again, different scenario. My desktop PC does not have a fingerprint
reader. I would have to buy more hardware to support someone else's
requirement to support biometrics. Phones sometimes have fingerprint
readers. Mine does. Laptops sometimes have fingerprint readers. Those
scenarios are irrelevant to a desktop PC. I don't buy pre-builts, but
even then I don't remember seeing any desktop cases with in-built
fingerprint readers. When jobbing your own build, you decide what
hardware to add. I've never added fingerprint readers, or retinal
scanners. For voice print, I'd have to connect my headset which is
normally stuffed in a drawer.

> As said several times before, there are and probably will be several
> options for most if not all services. But yes, at some time you probably
> 'have' to buy extra hardware, just like you 'had' to buy/have a computer
> in order to use online banking.

Buying/building a computer is a general purpose device, not designed for
a specific site, or even a small set of sites. Yes, I also had to buy a
car, but I'm not specially ordering one that has heated seats just
because one person in many years would like me to have them.

VanguardLH <V@nguard.lh> wrote:
> Frank Slootweg <this@ddress.is.invalid> wrote:
>
> > VanguardLH <V@nguard.lh> wrote:
> >> Frank Slootweg <this@ddress.is.invalid> wrote:
> >>
> >>> VanguardLH <V@nguard.lh> wrote:
> >>>
> >>> [More of the same endless, uninformed, misguided footstamping deleted.]
> >>>
> >>>> I did contact my bank, and their 2FA scheme is oriented to their
> >>>> customer having a phone available at the computer where they login.
> >>>> That's not me, even at home. They did mention trying the Authy app on
> >>>> my desktop PC, but I'll have to investigate how that works.
> >>>
> >>> See!? Works much better when you ask/investigate, instead of endless
> >>> whining, doesn't it!?
> >>
> >> See, works much better not to rely on anyone here, so far, in coming up
> >> with a solution.
> >
> > Indeed, why stop lying when it worked so 'well' sofar? And never mind
> > that it's a tad hard to come up with a solution when no specific
> > problem has been presented.
>
> Lying is intentional. Being mistaken is not. I've never proclaimed to
> be God. Please give the MID of whomever's article mentioned using an
> authenticator app.

I'm mostly done with this (and frankly also with you), so I'll try to
keep this short.

The lying has nothing to do with "an authenticator app". I don't
understand how you came to that conclusion.

The lying is your lying-by-omission, i.e. dishostly silently snipping
arguments which don't fit your agenda/narrative and the lying of
misrepresenting your correspondents' position, in one case even
mispresenting it as the exact opposite of said position.

> > I/we do not consider it a 'nuisance' at all, because it's *needed* and
>
> Your opinion.

Nope. The need is not an opinion, it's a fact, for the user. You might
consider it an opinion for the service provider, so we said: complain to
*them*, not 'us'.

> There will others that share your opinion. Not here but
> elsewhere when I've discussed this, other users also consider it a
> nuisance to tie a phone to a computer (where the computer is not a
> phone).

I expalined that you don't have to 'tie' the phone to the computer,
but you snipped and ignored that as well. See a pattern there!? :-(
(Yes, you need to *have* a phone (if you need SMS 2SV).)

[Repeat of whine deleted.]

> > - as said several times before - often a *one-time* thing per device.
>
> That was when someone discussed how it worked on their phone,

That may have been the context (can't be bothered to verify with a
cite), but it's not limited to phones (historically it's even the
reverse). For example Google offers the same for a login on a computer
(something like a 'Remember this device' tickmark). And the mechanism is
quite common for other services.

[...]

> > Is it a 'nuisance' that I have to use my keyboard to compose this
> > message?
>
> Only because you're as obstinate as I.

Yep. Thanks for that! :-)

> > Doesn't your bank offer a (hardware) TOTP generator?
>
> Nope. 2FA or passkey, the later of which incorporates biometrics, so
> I'd have to buy new hardware. They don't support USB security keys,
> either, but that also means buying more hardware.

OK. (Minor nit: Using a TOTP *is* 2FA or at least 2SV, but you
probably mean (SMS codes or) the authenticator app.)

> > My experience with the fingerprint readers on our (Samsung) phones has
> > been very good. Occasionally it needs another attempt, but not often,
> > and it's hardly a nuisance! :-)
>
> Again, you're focusing on the wrong scenario: logging on using phones to
> get the 2FA code on the same phone. I already admitted that while that
> is still a nuisance, that it is a little nuisance. My scenario was 2FA
> sucks when logging in on a desktop PC and having to tie my phone to my
> computer to complete the login.

Nope. You talked about the deficiencies of / problem with *fingerprint
readers*, so I gave my experience with them. That my fingerprint reader
is on/in a smartphone is irrelevant.

> What happens when you don't get the 2FA code on your phone (to complete
> the login on your desktop PC)? SMS delivery is not guaranteed. The
> site might've not generated the text successfully (some failure on their
> end). You're stuck at the login with no means to complete it. Maybe
> that doesn't happen a lot to you, but my experience is there is a good
> chance that I'll have to ask the site to resend (another but different
> 2FA code). Then I wait again, and try again, and after a few times give
> up on getting the 2FA, and surrender to not getting logged in hoping the
> site recognizes the problem and fixes it.

Yes, it happens. No, it does happen often. Yes, SMS is fast (few
seconds). Get over it.

> > My 'new' laptop also has a fingerprint reader, but I've not yet
> > bothered to try it. No need, yet.
>
> Again, different scenario. My desktop PC does not have a fingerprint
> reader. I would have to buy more hardware to support someone else's
> requirement to support biometrics. Phones sometimes have fingerprint
> readers. Mine does. Laptops sometimes have fingerprint readers. Those
> scenarios are irrelevant to a desktop PC. I don't buy pre-builts, but
> even then I don't remember seeing any desktop cases with in-built
> fingerprint readers. When jobbing your own build, you decide what
> hardware to add. I've never added fingerprint readers, or retinal
> scanners. For voice print, I'd have to connect my headset which is
> normally stuffed in a drawer.

Yawn! Umpteenth rerun of whines. Investigate (external) fingerprint
readers *if* and *when* the need arises.

Retinal scanners? Very unlikely to be needed any time soon.

> > As said several times before, there are and probably will be several
> > options for most if not all services. But yes, at some time you probably
> > 'have' to buy extra hardware, just like you 'had' to buy/have a computer
> > in order to use online banking.
>
> Buying/building a computer is a general purpose device, not designed for
> a specific site, or even a small set of sites.
[...]

But you *do* configure your computer for what you think will be
needed now and in the near future and these needs change over time. You
don't have the same computer you had two decades ago. Guess what,
security/privacy needs change over time as well and you'll have to get
with the program, whether you like it or not.

Having said that, an acquaintance of ours still does all her banking
by paper means. Quite a nuisance if you ask me, but it's still possible
(for how long?) and her choice.

(AFAIC.) EOD.