I noticed that CIBC/Simplii announced that my email (with NCF) isn't from a "company or educational institution" so could not be used for 2FA codes. I haven't actually used that, preferring SMS or the 2FAS authenticator. When I contacted them, they now say NO email for sending such codes. They are wanting people to use push notifications, which I can see as a useful tool for some people, depending on their connectivity status.
In email exchanged, I get the feeling they recommend setting up push to the SAME device where their banking app is installed. Am I missing something, or is this a really stupid idea? I've always considered the central idea of 2FA is to have at least 2 completely independent channels for verification. I note RBC makes a (very slight) mention of an "alternative" device. TD even has a separate 2FA authenticator app. I suspect a time-based one. They hint at separate device. However, I really think there's a lot of playing footsy with security in the web pages. JN To unsubscribe send a blank message to [email protected] To get help send a blank message to [email protected] To visit the archives: https://lists.linux-ottawa.org
