Ask HN: Bank with Yubikey support?
Yesterday I got an SMS 2FA text from my bank for a login attempt that I did not trigger. I changed my password, alerted my bank, and have been checking my account balance every few minutes it seems, but luckily everything seems fine.
The experience got me thinking, because the SMS 2FA was seemingly the last defense saving my account from a breach. My bank doesn't offer a stronger form of 2FA—neither TOTP nor any form of U2F.
Meanwhile, I really love Yubikeys; I have one plugged into every laptop I own (work and personal). I use Touch ID or Face ID on sites I access frequently from mobile.
It seems that the one place where U2F would be really impactful is online banking, but I've struggled figuring out which banks support strong 2FA without first creating an account with the bank.
Does your bank offer U2F, FIDO2, WebAuthn or any other form of hardware security token mechanism for logins? Have you had otherwise positive or negative experiences with the bank overall?
27 comments
[ 3.4 ms ] story [ 71.2 ms ] threadAlso check out the list of works with yubikey, but it's super short and most of them are for crypto: https://www.yubico.com/works-with-yubikey/catalog/?usecase=1...
I know it’s not encrypted but has it suddenly become easy to intercept?
There's also SIM-swap attacks that rely on social engineering your carrier.
This is TONS of fun when you use a password manager and have a long a random string password. It’s even more fun when you realize that they give you a limited amount of time to authenticate and it’s nowhere near long enough for a 20 character password.
It’s really sad how bad authentication systems are for some of the most critical systems in our lives.
nobody just found out about yubikey from this thread...
Ah, this explains why I feel at home in this community.
In particular, 2FA is not a standard but rather a collection of techniques, some of them standards. Yubikeys implement a good number of them. When someone asks a question like this one, I take it to mean "Bank with WebAuthn support", which is in fact a standard, and I'd also like to know if one exists that also lets you selectively disable other weaker factors.
And no, here I cannot assume good faith, sorry.
On my ETrade account, I give username and password, then press button on hardware token, get 6-digit TOTP, and append that to the password, then click Login.
Works pretty well, except that linking services such as Plaid don't understand it. Now that Wise (formerly Transferwise) has switched to use Plaid, I have to disable 2FA from my ETrade account, do the transfer in Wise, then enable 2FA again. Works, but a pain.
They also allow different uname/Pword combos with different auth levels. (Enterprise level granularity).
Eg I keep the read-only combo on my phones password manager, a general read/write to investments on my computer, and an “admin” level access (change permissions add banks move money) in offline storage.