Replies to post #189155 on Zerify Inc (ZRFY)

[WBCTrader]

I don't know how else you can read it. it says it used to be ok, but now if you use the same device to do both MFA/OOB is nullified.

It's pretty plain and simple..

I steal your phone, you have your banking info on "auto complete" (just for example). I have your phone, and your login info stored on it. I use safari to login to your bank, it sends OOB/MFA SMS, one time password, passphrase, code, etc to THAT PHONE, I authenticate and I'm In. Effectivly NULLIFING the OOB/MFA by use of the same compromised device.

PCI now says thats not good enough. It needs to be a different DEVICE or have additional methods of authentication.

the authentication process should establish controls to guarantee that the individual attempting to use the authentication is, in fact, the legitimate user in possession of the authentication factor