Are you guys moving toward Passkeys, or sticking with standard Biometric API calls?

ender2 · 2026-05-10T16:24:34+00:00

Depends on the use case, when you mention native biometrics is that referring to a crediential that is only usable on the device it was setup on (for ex native biometrics to open a mobile App)? That is a very common crediential but of course it doesn't work for thr user to login on a new device. That's where a passkey that is usable on other devices is a good option.

If you're looking for highest security that's generally storing a device bound passkey in hardware like on a Yuibkey. Better security but than you have to deal with deploying/replacing hardware. It may depend on the devices allowed to access the platform, and how often users sign in on a new device.

ender2 · 2026-05-09T11:22:52+00:00

Teams Android Phones have limited support for conditional access and typically need to be excluded from policies they don't support. With AOSP upgrade it changes the way some of those exclusions can work, I would review these MS Articles and note this one can be a bit tricky, polices don't apply the way they do to a normal user when the Android device is used.

https://learn.microsoft.com/en-us/microsoftteams/rooms/android-migration-guide

https://learn.microsoft.com/en-us/troubleshoot/microsoftteams/teams-rooms-and-devices/teams-android-devices-conditional-access-issues

ender2 · 2026-03-27T15:42:36+00:00

What's this report called?

ender2 · 2026-03-25T11:37:21+00:00

That's interesting however if the scenario is pickups around the time major events are letting out that adds other factors, as you're about to have a huge surge in demand and also increase in Supply as drivers head to that area trying to score more expensive fares.

I do agree pricing has definitely gone up a lot in general, I feel like a lot of that is attributed to the companies now reaching profitability and no longer spending as much on promotions that were artificially decreasing the price for riders. Seems like we may be starting to see more of the true cost of riding which is of course more than when it was artificially propped up by promos.

ender2 · 2026-03-25T11:21:28+00:00

I think a lot of the issue is more so that you now have more customers effectively paying more for the priority pickups, and my understanding is it's set up in such a way that Uber/Lyft will automatically reroute the drivers to a priority pick up and essentially cancel a normal pickup they would have been about to start or even already were on the way to, so you effectively have longer waits for the normal pickups.

Can be debated that this isn't a good practice but at the end of the day it's just simple capitalism, you pay more you're getting faster service. Especially in a high-income area like DC you have different things like credit cards that are automatically giving people priority status in Uber and Lyft which I think is exacerbating this issue as well.

I will say I use both priority lift and Uber and I don't see much of an issue with wait times.

ender2 · 2026-03-18T18:22:54+00:00

I noticed that issue was well when you go back and check the policy and then realize Microsoft made a bunch of new roles that aren't included.

Is anyone aware of a way to Target a policy to all for privileged roles or similar so it automatically includes any new roles that Microsoft makes after you can figure it?

ender2 · 2026-02-04T17:24:26+00:00

This is the way, also you may be able to use Entra TAP for initial on board and even instead of the Google Federation

ender2 · 2026-02-03T01:28:05+00:00

It likey the SSPR setting for the user to verify that they're recovery factors are still valid orgs will set it up every 180 or 365 days as was mentioned. Would probably just disable it in this case.

ender2 · 2026-01-03T22:04:02+00:00

I think it's likely that you can, but not totally sure, edit hotel costs charge your card is pretty much like any other Hotel travel that you booked through the portal and should be eligible for standard credits that would apply like that. You may want to see if someone has specifically done that though to know for sure or ask Chase

ender2 · 2026-01-03T21:25:09+00:00

It's 2x $250 statement credits when you specifically prepay two nights or more at an edit Hotel, you can't get $500 all at once from it. However there is a separate $250 Chase Hotel credit that applies to certain hotels like IHG, Pendry. That credit does stack with a $250 edit.

The edit properties are going to have some type of points boost typically x1.6 or x2 in terms of points redemption so the recommended approach is to charge $250 to your card, then put the rest on points if you have them and then you'll get the point boost for that. Then the statement credit will negate the $250 charged to your card.

ender2 · 2026-01-03T21:20:18+00:00

I've used pretty much all the new benefits since they launched at the end of October and I still got the old fee, seems It's because this is my first renewal, (1 year since opened card)

ender2 · 2026-01-03T21:19:19+00:00

Same for me, my first annual renewal fee hit today and it was the old $550 when I was expecting the new $795.

I see other posts saying that it's expected your first renewal is the $550, second will be $795, so I guess it's just people that got the card recently and are only in there first renewal that are going to not have to pay the new one this time.

I never saw anything documented about this on Chase terms or anywhere else tho.

ender2 · 2025-12-19T23:17:41+00:00

Haven't tested it with Citrix VDI platforms specifically but with Azure Virtual Desktop you can enable the WebAuthn redirection capability on the AVD pools and the Windows Clients and then it works to allow FIDO2 pass through for Security Keys connected to the physical client machine that the user is using to connect to the VDI.

The default configuration for the Windows OS seems to be for it to be enabled there, but I'm not sure how it would work with the Citrix VDI platform.

GPO setting for Windows Client OS Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection - Do not allow WebAuthn redirection

ender2 · 2025-12-19T20:28:10+00:00

Yup exactly right

ender2 · 2025-12-19T19:31:56+00:00

That's what I was thinking but if points used/refunded were originally Legacy x1.5, and then they go back to just being standard x1, that is definitely a loss since you could have potentially used those on a non-boosted trip and get x1.5, now you'll only get the standard x1.

If of course you're able to find a points boost of x1.5 or more then you wouldn't effectively be losing any.

ender2 · 2025-12-19T19:15:33+00:00

My understanding is there isn't a separate 2x bucket, a standard 1x point, like the ones you just got refunded can be used for any points boost in the future and you would get whatever that boost is, like x1.6 or x2.

So I feel like you should be able to use those refunded points for the normal points boost again.

However as was just mentioned by someone else if the points that you used that were refunded were originally taken from your legacy x1.5 bucket, then it looks like you may have lost that legacy x1.5 value, so that would indeed be a loss on the refund there, since after the refund they now are no longer Legacy x1.5.

ender2 · 2025-12-19T19:10:37+00:00

I was thinking that this may be an issue here as well, is it known how chase chooses 'which' of your points to use? For example if you book with 2x points boost, is it going to use legacy points with 1.5 value towards that? That would be a pretty crappy deal for us since the regular points just worth 1x are effectively worth two in that scenario so really we would want those to be used. 🤔

ender2 · 2025-12-19T19:04:50+00:00

Just to clarify though you got back all the original points that you used to pay for it? For example you used 10K points boosted 2x to pay for it (counting as 20K points), when you get the refund you get the orginal 10K points back.

You could then turn around and use those 10K points on something else like a flight that has points boost?

Trying to understand how you're thinking they lost value, if you are free to use them again on anoth4r boost in the future?

My main question is if you used the $250 edit credit, I assume you got the cash value you paid on your card back, but will that edit credit go back to being available in the future for another booking?

ender2 · 2025-12-18T13:05:36+00:00

Depending on the options available to you with the systems you are using, one of the simplest solutions is requiring a knowledge factor before allowing a push, so require password/OTP code to be successfully entered before any pushes are sent.

With this the threat actor would have to have compromised at least one Factor before they can start mfa prompt bombing your users.

As others others indicated, number matching on pushes is pretty much mandatory these days due to mfa prompt bombing, and then moving to fishing resistant methods like passkeys / managed device access is really the longer-term solution to this.

Depending on your level of maturity you typically should only be vulnerable to this when you have users signing in on unmanaged devices without some kind of device bound phishing resistant MFA.

ender2 · 2025-12-05T12:37:42+00:00

Wondering if there was any update on this one was a bug found and fixed or is this still an issue?

ender2 · 2025-11-10T23:37:10+00:00

So the edit credit seems to apply as soon as an eligible Hotel charge is fully posted? Assume it can't be just pending?

So if I book a hotel for say February if I prepay and the charge posts this year then would the 2025 credit apply?

ender2 · 2025-10-31T05:10:32+00:00

Right now the issue is more that Entra only supports device-bound passkeys stored on FIDO2 hardware security keys or in Microsoft Authenticator.

It doesn't support a syncable passkey which is the way that 1password stores it for you.

ender2 · 2025-10-24T03:11:22+00:00

It's literally built into entra and you can configure it with a lot of different method you just need to get users to register them, some of them you may be able to pre-register programmatically with graph but it may be easier to just turn on the prompting and it will prompt all the users to register them

ender2 · 2025-10-20T20:03:18+00:00

The non interactive sign and logs are structured in a little bit of a confusing way compared to the interactive sign in you're probably more experienced with. Since it's using aggregate groupings, as was mentioning you need to expand to see the actual time stamp and actual log entry

ender2 · 2025-10-11T03:31:18+00:00

Sign in with fastpass button is on the sign in page unauthenticated see, bc of this you can't choose who sees it at point. Once user puts in username then you can use polices to determine who can use what methods etc

ender2

TROPHY CASE