Glad you liked it!

no problem! more to come!

So essentially you're using the Yubikey app on your phone to generate OTPs (one-time passcodes), and is similar to the OTP numbers you get generated in the Microsoft Authenticator app, or any other common authentication applications such as Google Authenticator or Authy. The weakness with OTP is that there's no built-in checks performed with this method of MFA to validate the target domain you're entering your credentials into is legitimate. One thing to bear in mind is that if you're using the Yubikey application on your laptop to generate OTPs you will still be asked to insert your Yubikey to access and unlock the key, however it's not using WebAuthn or FIDO2. If you currently use the cycling codes in the Yubico Authenticator app on your laptop to log in with, then it won't be using FIDO2, meaning it's unfortunately still subject to the AiTM attack as you saw in Alice's scenario. Microsoft supports FIDO2 with Yubikeys so you would just need to register your Yubikey as a FIDO2 device and add this as your preferred method of authentication. Depending on your or your workplace setup, they may not allow this by default, so you would need to ask them to enable FIDO2 authentication for you, and you can then register it. We hope that helps!

​@@CloudGuardAI Thank you for the reply and the suggestion to enable FIDO2. I shall learn how to do this (lol, I'll likely end up looking on KZbin!) 🙂

We've taken your feedback on board and hope to make a video on it soon. :)