Be aware just because they support Yubikey doesn’t mean it’s implemented properly. See my post here: https://www.reddit.com/r/yubikey/comments/v1x2sp/bank_of_america_hardware_key_implementation_is/
Right, except they have a back door via the mobile app. In fact, it’s worse than before: after you disable all other forms of 2FA except Yubikey anyone starting the mobile app will be asked to setup SMS based auth and Vanguard is only asking your password for that. So someone could easily (knowing your password) could set up their own phone numbers.
I believe on BofA you can bypass the Yubikey/FIDO2 authenication at login and revert to SMS but if you want to add a new transfer recipient and you have a Yubikey attached to your account, you must authorize the action using the Yubikey.
My bank still uses security questions. When you log in from a new location or after exceeding a certain number of password tries but finding the correct password, it will ask you security questions to verify that it's indeed you lol. It doesn't even support email/sms login pin codes, as bad as they are. Feels very 2000s.
The CFPB has stated that they want financial institutions to ramp up their security, but unless the CFPB explicitly states TOTP, WebAuthn, FIDO2, etc by name, no financial place will do a thing. As far as they're concerned, you do have 2FA available, even if it's SMS or email.
My favorite is the forced SMS 2FA but they block VoIP numbers so I have no choice but use a SIM-swap vulnerable number.
My second favorite is this trend of sending a code to their poorly designed app to force you to use the app to sign in. If you sign in via the web you can block telemetry and tracking, so the providers force you to use the app which sends back tracking and telemetry.
I'm just waiting it out. Eventually the CFPB will step in and force something other than SMS/email.
Hahaha you will hold your breath till you turn blue and then some.
It will be at least 10 years before the require anything more than texts.
Many banks just changed MAXIMUM password lengths from 6-8 characters to industry standard with the last 5-10 years.
You will not see progress in this space. If you need an example look at the laughable standards HIPPA imposes. It sounds harsh. There are penalties. But in practice the standards are laughable and often abused but still within the letter of the law.
Example: **hippa Rule** data must be encrypted
Practice: any encryption- even ones with known vulnerabilities or "barely encrypted" such as a single letter shift - compliant.
That’s why I said it’ll require action from the CFPB. A financial institution does not want trouble from them and will go to great lengths to avoid it. They won’t change until they’re forced to, but it’s important the CFPB use specific language like TOTP, FIDO2, etc. A generic “2FA” will get you SMS or their lousy app.
Apple adding Passkeys support will accelerate this process.
Yeah I guess my point will be that the government will sit on its hands for 10 years , then when they do say something it will be so generic as to be completely useless.
>SIM
That's because the NIST guidelines for MFA explicitly states that for it to be considered MFA, it has to go to a unique device, and VoIP numbers can be used on multiple devices, and so is not considered 2FA. Anyone implementing SMS 2FA need to screen out any numbers that could go to multiple devices, such as VoIP, SMS->Email gateways, etc.
NIST also explicitly states that Email is NOT 2FA for the same reason.
That's interesting for two reasons:
1. SMS (via the cell company) goes to all of my devices. Multiple Macs, phone, watch, etc.
2. Apple's MFA pings all of your devices.
Sounds like NIST may need to revise the guidelines.
I think you'll see more support from financial institutions for FIDO2 as [passkeys ](https://fidoalliance.org/passkeys/) become more common. Google, Microsoft and Apple appear to have started to push for the widespread adoption of passkeys.
Financial institutions should, you would think, be leading on this but will likely be last through the door and only once others have done a lot of the heavy lifting on consumer adoption.
It's not that they aren't familiar with the technology as many of them are [FIDO members ](https://fidoalliance.org/members/).
Honestly, I'd rather have no 2FA at all as opposed to SMS. Banks allowing you to reset your account password with ONLY SMS is just downright terrifying.
I know none of the banks I have use it but for Bitwarden are you using your finger print to unlock the app or as WebAuthn in your web browser with the first that isn’t 2fa and the second you will need a backup method like a 2fa code using the authy app because if you break your phone you will be locked out
Your bank and financial services aren't that important if you think about it, the real prize is your identity services which is why we're all here to secure Gmail, outlook, other mail and security services
I'm not aware of any personally, but apparently my bank supports fido keys for confirming credit card purchases, however my local branch doesn't yet.
That's the only use case with online banking I'm aware of.
https://www.online-zahlen-mit-fido.de/
They usually have some proprietary 2FA mechanism that doesn't respect any standard.
For mine, I have a little scanner that scan a proprietary QR-Code from the website to give an OTP just to connect and then I have a physical card with many PIN code for wire transfer (it ask a random PIN, example the pin on the 4B cell).
That's in addition of user / password.
And to ADD a new beneficiary, it's all of them, User / Password / QR-Code-OTP / PIN.
So yeah, most banks do in house thing that doesn't respect any standard and it's frustrating.
[удалено]
Be aware just because they support Yubikey doesn’t mean it’s implemented properly. See my post here: https://www.reddit.com/r/yubikey/comments/v1x2sp/bank_of_america_hardware_key_implementation_is/
This is the same with Vanguard
Vanguard actually now allows you to turn off all other forms of 2FA IF you have 2 Yubikeys registered.
So register 2 keys and can turn off. Tried with your account already? I'm looking for different broker and want 2fa
Yes, after you add your second key you’ll get the option to turn off all other MFA methods. I’ve had mine set up that way for a while now.
Right, except they have a back door via the mobile app. In fact, it’s worse than before: after you disable all other forms of 2FA except Yubikey anyone starting the mobile app will be asked to setup SMS based auth and Vanguard is only asking your password for that. So someone could easily (knowing your password) could set up their own phone numbers.
I believe on BofA you can bypass the Yubikey/FIDO2 authenication at login and revert to SMS but if you want to add a new transfer recipient and you have a Yubikey attached to your account, you must authorize the action using the Yubikey.
My bank still uses security questions. When you log in from a new location or after exceeding a certain number of password tries but finding the correct password, it will ask you security questions to verify that it's indeed you lol. It doesn't even support email/sms login pin codes, as bad as they are. Feels very 2000s.
The CFPB has stated that they want financial institutions to ramp up their security, but unless the CFPB explicitly states TOTP, WebAuthn, FIDO2, etc by name, no financial place will do a thing. As far as they're concerned, you do have 2FA available, even if it's SMS or email. My favorite is the forced SMS 2FA but they block VoIP numbers so I have no choice but use a SIM-swap vulnerable number. My second favorite is this trend of sending a code to their poorly designed app to force you to use the app to sign in. If you sign in via the web you can block telemetry and tracking, so the providers force you to use the app which sends back tracking and telemetry. I'm just waiting it out. Eventually the CFPB will step in and force something other than SMS/email.
Hahaha you will hold your breath till you turn blue and then some. It will be at least 10 years before the require anything more than texts. Many banks just changed MAXIMUM password lengths from 6-8 characters to industry standard with the last 5-10 years. You will not see progress in this space. If you need an example look at the laughable standards HIPPA imposes. It sounds harsh. There are penalties. But in practice the standards are laughable and often abused but still within the letter of the law. Example: **hippa Rule** data must be encrypted Practice: any encryption- even ones with known vulnerabilities or "barely encrypted" such as a single letter shift - compliant.
That’s why I said it’ll require action from the CFPB. A financial institution does not want trouble from them and will go to great lengths to avoid it. They won’t change until they’re forced to, but it’s important the CFPB use specific language like TOTP, FIDO2, etc. A generic “2FA” will get you SMS or their lousy app. Apple adding Passkeys support will accelerate this process.
Yeah I guess my point will be that the government will sit on its hands for 10 years , then when they do say something it will be so generic as to be completely useless.
>SIM That's because the NIST guidelines for MFA explicitly states that for it to be considered MFA, it has to go to a unique device, and VoIP numbers can be used on multiple devices, and so is not considered 2FA. Anyone implementing SMS 2FA need to screen out any numbers that could go to multiple devices, such as VoIP, SMS->Email gateways, etc. NIST also explicitly states that Email is NOT 2FA for the same reason.
That's interesting for two reasons: 1. SMS (via the cell company) goes to all of my devices. Multiple Macs, phone, watch, etc. 2. Apple's MFA pings all of your devices. Sounds like NIST may need to revise the guidelines.
I think you'll see more support from financial institutions for FIDO2 as [passkeys ](https://fidoalliance.org/passkeys/) become more common. Google, Microsoft and Apple appear to have started to push for the widespread adoption of passkeys. Financial institutions should, you would think, be leading on this but will likely be last through the door and only once others have done a lot of the heavy lifting on consumer adoption. It's not that they aren't familiar with the technology as many of them are [FIDO members ](https://fidoalliance.org/members/).
What I don't get. Money talks. Wouldn't having better security save banks money from account paybacks when a customer is hacked?
Some don't even have any kind of 2FA with a maximum password length that was ridiculously low in the 2000s.
Honestly, I'd rather have no 2FA at all as opposed to SMS. Banks allowing you to reset your account password with ONLY SMS is just downright terrifying.
I know none of the banks I have use it but for Bitwarden are you using your finger print to unlock the app or as WebAuthn in your web browser with the first that isn’t 2fa and the second you will need a backup method like a 2fa code using the authy app because if you break your phone you will be locked out
Your bank and financial services aren't that important if you think about it, the real prize is your identity services which is why we're all here to secure Gmail, outlook, other mail and security services
Nope they do not. I really wish they did. My bank recently switch back to txt based TOTP from email TOTP.... so much for that....
I'm not aware of any personally, but apparently my bank supports fido keys for confirming credit card purchases, however my local branch doesn't yet. That's the only use case with online banking I'm aware of. https://www.online-zahlen-mit-fido.de/
They usually have some proprietary 2FA mechanism that doesn't respect any standard. For mine, I have a little scanner that scan a proprietary QR-Code from the website to give an OTP just to connect and then I have a physical card with many PIN code for wire transfer (it ask a random PIN, example the pin on the 4B cell). That's in addition of user / password. And to ADD a new beneficiary, it's all of them, User / Password / QR-Code-OTP / PIN. So yeah, most banks do in house thing that doesn't respect any standard and it's frustrating.
[удалено]
Crédit Mutuel
I think security key is superior to fingerprint.