Any creative solution to make it harder for hackers to copy your IdP login page?

[Cantor, Scott]

> My credit union discourages phishing by prompting for the username on one
> page (www.example.com) and the password on another (my.example.com).
> The password page is customized based on the username. When I set up my
> CU account (years ago), I had to choose a Security Phrase and a Security
> Picture. These always appear on my custom password page.

The problem is screen scraping, it's really not defeatable if you don't bother to check the bar. There are tricks like the phrase or picture to force one to actually screen scrape (anti-XSRF stuff is another), but if somebody is willing to scrape it in real time there isn't much that will work, and it defeats MFA for at least that transaction. You just throw and error back to the user to make them think it failed, and meanwhile off you go with your sesson.

The fix of course is token binding.

-- Scott