Fidelity two-factor authentication change?

I don't understand the rationale behind not allowing "trust this device". The vast, vast majority of hacking is done remotely, by bad guys sitting in Russia, Nigeria, etc. Not allowing "trust this device" is meant to prevent someone with physical access to your device from logging in to, say, your Fidelity account if they don't also have physical access to your phone (or Yubikey, etc.). It makes no sense to me to have Fidelity not trust the browser I use from my Windows desktop or my Linux laptop, as those devices are under my physical control at all times.

TL ; DR: It is quite safe to enable "trust this device" for websites/apps you access from devices that you have physical control over.
You have fundamentally misunderstood the risk. It is incredibly common for someone to gain remote access over your laptop or other device due to unpatched browser software or other methods. There are many "no click needed" hacks available and one of the biggest attack vectors is people who click blindly on the first link that a search engine returns, thinking it is the legitimate site.

I ran the cybersecurity teams for a large bank and a large insurance company and we always had customers who had hacked laptops and phones where someone else was in control and they had no clue.

No, it does not matter if you apply patches the instant they are available. It can take weeks to months for companies to develop, test, and distribute updates and they still get it wrong. That is a major window of opportunity for criminals.
 
I don't use the trust this device , as I believe it uses a cookie on my computer to identify my computer. Problem is should some bad actor be able to download all my cookies, they could impersonate me, by putting my cookie on their computer.

While this should not happen, it depends upon the browser to not allow downloading of other sites cookies.
Which is fine, until a defect is exploited.
 
Just a guess but Fidelity could use MAC address to see if you are are on the same computer. It is a kind of hardware address. . .
 
I never use the "trust this device", I want the 2FA each and every time, that's why I signed up for it!
Absolutely. I either use Authy or Symantec VIP to generate codes that i cut and paste. I just tried the fidelity sync through the app with someone else and strongly prefer to use a third party app.
 
If you are using an ad blocker on your browser disable it for Fidelity.com. My experience has been that "remember this device" doesn't work when most ad blockers are enabled.
 
I don't understand the rationale behind not allowing "trust this device". The vast, vast majority of hacking is done remotely, by bad guys sitting in Russia, Nigeria, etc. Not allowing "trust this device" is meant to prevent someone with physical access to your device from logging in to, say, your Fidelity account if they don't also have physical access to your phone (or Yubikey, etc.). It makes no sense to me to have Fidelity not trust the browser I use from my Windows desktop or my Linux laptop, as those devices are under my physical control at all times. If one of those devices happened to be stolen, the bad guy still would have no access to the browser I use to login to Fidelity, because he wouldn't know my device PIN or password. And even if they somehow managed to break into the device and access my browser, Fidelity's security protocols would almost certainly trigger a 2FA due to the change in IP address.

TL ; DR: It is quite safe to enable "trust this device" for websites/apps you access from devices that you have physical control over. Never "trust this device" when using a public or shared computer, tablet, etc. This is the scenario that "trust this device" was designed for.

Each person should assess their own security vs convenience trade offs, but certainly you should be capable of understanding how others could make a different choice. If you don’t, it should signal that you might not understand the choice you’re making as well as you thought.

In this case, the choice is whether you want your laptop to be an attack vector that is privileged compared to others. Physical access to your laptop is a concern, but not the primary concern. The primary concern would be your laptop becoming compromised with malicious software. You mitigate this risk through good security practices, including running an updated virus scanner. But mitigating will never get the risk to zero.
 
Back
Top Bottom