[_jal]

Other folks have mentioned things you missed, here's another: insider threats.

A authentication event requiring a hardware token is significantly harder to deny, especially if used again by the legitimate user after the questionable event. So any insider attacks that are not last-hurrahs or one-shots plausibly explained by theft are significantly riskier.

[burner589432]

If you're trying to prevent credential theft: Educate users on password managers, deploying 2FA, or tokens like this would also make sense. MFA deployments are probably significantly cheaper though (And yes, ActiveDirectory OTP and smartcard based MFA tools exist). Productivity-wise, MFA will work better than USB tokens - I know a bunch of people who regularly forget their work smartcard pass, I don't know many people that forget their mobile phone.

If you're trying to have rock solid audit trails that will stand up in court: This, or 2FA won't have a huge functional difference, but chances are unless you have NSA/Google tier security, your money would be better spent hardening infrastructure - your logs won't be worth jack if a pentest rips your network apart in two hours. I regularly see $1m+ SEIM deployments on MS17-010 vulnerable networks, I feel like security gimmicks like these distract them away from fixing real problems and are, if anything, detrimental to security.

[ti_ranger]

> Productivity-wise, MFA will work better than USB tokens - I know a bunch of people who regularly forget their work smartcard pass, I don't know many people that forget their mobile phone.

(Your terminology is weird. What do you mean by MFA where USB tokens aren't in-scope? I guess you mean an authenticator app on a mobile device).

Where I work, we use Yubikeys, which are used as 2FA for almost everything: * SSO on all web internal web sites, the SSO implementation supports U2F * short-lived (less than a day) ssh certs signed by Yubikey OTP * VPN access authenticated by Yubikey OTP

Enrolling of yubikeys is self-service, and supports up to 2, and employees in critical positions can have 2. Re-setting the Yubikey OTP pin is mostly self-service, but you need to enter it any time you VPN or get a new ssh cert, so you are more likely to forget your phone at home than your Yubikey OTP pin.

> I feel like security gimmicks like these distract them away from fixing real problems and are, if anything, detrimental to security.

Many banks (especially in my country) rely on SMS OTPs. Some banks have OTP authentication for their websites on their mobile apps (but then if you uninstall the app, you have to re-enroll, which is quite tedious).

I would much prefer all banking sites to support U2F/WebAuthn, and hopefully that would also sufficiently motivate good support on phones for U2F/WebAuthn. If they allowed you to turn off any SMS-based OTPs (e.g. if they support recovery codes and 2 tokens), I think it would be possible to eliminate SIM-swap fraud (which is quite rife here ...).

And to be clear, I don't mean this in place of good password managers, I mean in addition to password managers. Defense-in-depth and all.

[tialaramex]

Banks inside the EU probably can't easily go to WebAuthn because they're coming under rules that say their multi-factor authentication needs to tie into transaction details.

The concern is, a customer is tricked into _legitimately_ authorising transaction A ("Send my cousin $50 for emergency cab fare") but the bad guys use the authorisation instead for transaction B ("Send my entire account balance to Anne Actual Crook in Russia") and the bank thinks everything checks out because they used multi-factor. Making the transaction details part of the authentication can defuse this significantly if you do it properly.

A straight forward WebAuthn setup which is just proof of control isn't enough there. Maybe you can put together something using extensions to WebAuthn or fudge it somehow to add these transaction details, but out of the box the banks seem to be going for:

* Bank branded authenticator apps for smartphones

* SMS (ugh)

* Custom authenticator devices with their own input