Websites saying "We don't recognize this device" after Windows Updates

DJRoff · 3 Weeks Ago

How can I stop websites from saying "We don't recognize this device" after every single Windows Update?

This primarily happens to me on financial websites, but not uniquely so. And it always seems to occur right after "Patch Tuesday". A bank site that I've used for years, and for which my password has always been stored in the browser, will suddenly halt a login attempt saying "We don't recognize this device", and force me to run to the other room and dig up my phone, to retrieve and enter a 6- or 8-digit code.

I researched this on the Microsoft Community site, and while several users have pointed out this problem, as usual there are several non-answers ("What browser are you using?" "Have you tried clearing cookies?" "Have you checked with the financial institution's site manager?"), but no resolution. The problem occurs on all of my browsers (I use Edge, Chrome and Brave), and it ONLY occurs after an Update. The rest of the month, I'll happily log into my bank account using my stored information, but as soon as there's been a Windows Update, "We don't recognize this device". So it's not a website problem, and it's not a browser problem, it's a Windows problem. It's been going on for a few years now, and I'm just tired of it. I shouldn't be randomly forced to use Two-Factor Authentication on my own personal PC, which sits in my private home office. Has anyone been able to find a solution for this? It seems there should be some Windows solution to enable persistent recognition by another IP address. I am on Windows Version 22H2, OS Build 19045.4412, if it makes any difference.

dalchina · 3 Weeks Ago

Hi, the way I'm used to seeing banking sites 'recognising' a PC is to have a cookie set in the current browser.
Normally after using 2FA there's a prompt something like 'Do you wish to trust this device' - and responding 'yes' should mean the cookie is set and you don't get prompted for 2FA again.

Should that cookie be cleared, or you use a different browser where that cookie has not been set in that browser, you will again receive a 2FA prompt.

My experience: I use a lot of financial/banking sites, and I've never seen anything that suggests a Windows update has affected this.

However, I have had one or two problems with a couple of banks where 2FA prompts have become persistent even though the device/browser is 'trusted'.

Halifax group: occasionally at wide-spread sporadic intervals something triggers the 2FA mechanism consistently for a couple of weeks- and I'm not prompted after completing it to set the device as trusted. No one has been able to explain that. It only happens a couple of times a year, and not for a long time.

Santander: now this is frustrating.. it took many calls and even to my ISP to have Santander finally tell me I was suddenly ALWAYS prompted for 2FA now because my IP address keeps changing. Santander told me to get a static IP address. Well, guess what- those aren't available for residential customers 'for security reasons'.

Here it seems that some change on Santander's side- and this does not apply to other banks I use- means my dynamic IP address (over which I have no control- trips their security check. And Santander couldn't care less. So I've given up using their internet banking and use the app or phone banking.

"We don't recognize this device". So it's not a website problem, and it's not a browser problem, it's a Windows problem.

Here I have to disagree. If the bank's system is sensitive to any change in your PC's data- the Windows build, the browser user agent (including its version) - it may be designed to pick up these changes and regard the device as 'new'.
Example details of a user agent string:
User-Agent - HTTP | MDN
- your bank would see this.

It all depends on what (possibly idiotic) check they have designed into their security system.

there should be some Windows solution to enable persistent recognition by another IP address

Well yes, I suppose there is. Change nothing! Umm.

for which my password has always been stored in the browser

Personally I would always use a 3rd party password manager as that works across browsers and if you wish, across devices. Plus you don't have to worry if your disk dies or becomes unbootable so you can't retrieve the password.

DJRoff · 3 Weeks Ago

I never get a prompt from Cookies, asking if I "trust this device". Is that a pop-up blocker setting that's preventing me seeing those? I've gone into the Site Settings for a couple of those, and changed Pop-Ups from "Block (default)" to "Allow", we'll see what happens.

(And I hear what you say, about saving my passwords in a secure "bank" of some kind, either a password manager app, or a physical device. My wife uses one of those external "password banks", and everything was kosher until she lost the bank, one day. It was weeks before I could help her find it. I know most of my own passwords by heart, and the few I never remember, I have stored elsewhere. It's simply a convenience thing, having my passwords auto-filled when I'm online -- and one I'm loathe to give up. And I just don't always bring my phone to the party, when I sit down late some night, already tired, to pay a bill before dropping into bed.)

As to a perfect solution on all sites, all the time, you seem to be saying that... there isn't one. I get it. I suppose it all depends on how "deep a dive" the financial institution's servers are told to do, in order to vet the machine that's trying to log into its services. I can't really blame them, there are just too many bad actors out there, and their "spoofing" methods keep getting better all the time. Still, it seems like there ought to be some consistently-working way for my computer and their servers to "recognize" each other and handshake as friends.

At any rate, thank you for your long and thoughtful response. I'll explore ways to get that cookie pop-up. I'm mostly using Brave, which is built on Chrome code but with all defaults set toward privacy. This may be one area where it goes overboard.

dalchina · 3 Weeks Ago

I never get a prompt from Cookies, asking if I "trust this device".

It sounds as if your bank(s) probably use the cookie mechanism.. but there's no reason they couldn't store the data on their server I suppose. (It would be better if they did- vs hardware id- i.e. browser independent etc).

Problem with cookies is this (amongst others) - if you have a problem with a bank site, one of the first things they tell me is to clear cache and cookies- to which I respond - that will affect a number of sites- including other banks' sites! (cookies).

The prompts I've seen (from several banks) are entirely within the browser page- not a popup as such.
Here's Lloyds:

Websites saying "We don't recognize this device" after Windows Updates-1.jpg

Websites saying "We don't recognize this device" after Windows Updates-2.jpg

everything was kosher until she lost the bank, one day

Options typically are:
- the whole encrypted database is held locally (so it's up to you to back up)
or
- they are synched and held on the company's server - and so are available to any device on which you run the program and for which you authorise access. Hence uniform across devices (in my case Win 10 and Android).

In the latter case they are harder to lose- but then there's the argument about holding them on your PC means they're not on some server 'out there'.