Ask HN: Bank with Yubikey support?

45 points by jez ↗ HN
Yesterday I got an SMS 2FA text from my bank for a login attempt that I did not trigger. I changed my password, alerted my bank, and have been checking my account balance every few minutes it seems, but luckily everything seems fine.

The experience got me thinking, because the SMS 2FA was seemingly the last defense saving my account from a breach. My bank doesn't offer a stronger form of 2FA—neither TOTP nor any form of U2F.

Meanwhile, I really love Yubikeys; I have one plugged into every laptop I own (work and personal). I use Touch ID or Face ID on sites I access frequently from mobile.

It seems that the one place where U2F would be really impactful is online banking, but I've struggled figuring out which banks support strong 2FA without first creating an account with the bank.

Does your bank offer U2F, FIDO2, WebAuthn or any other form of hardware security token mechanism for logins? Have you had otherwise positive or negative experiences with the bank overall?

27 comments

[ 3.4 ms ] story [ 71.2 ms ] thread
The ONLY financial institute I trust with large sums of money and supports yubikey is Vanguard.

Also check out the list of works with yubikey, but it's super short and most of them are for crypto: https://www.yubico.com/works-with-yubikey/catalog/?usecase=1...

Last time I checked, Vanguard's implementation is worthless because you can still request an SMS code as an alternate path.
Bank of America offers it. It works great, but it works only on desktop not on IOS app.
But they still allow using 2FA via SMS too, even if a yubikey is configured. And there’s no way to turn the SMS auth off (last time I checked).
Not a BoA user, but how does iOS work? Do they bypass the auth requirements?
I bank with Chase, and their passwords aren't even case sensitive.
You should try Fidelity, it’s even worse. To authenticate over their phone you punch in the digits that correspond to the characters of your password. Special characters all get mapped to zero.

This is TONS of fun when you use a password manager and have a long a random string password. It’s even more fun when you realize that they give you a limited amount of time to authenticate and it’s nowhere near long enough for a 20 character password.

It’s really sad how bad authentication systems are for some of the most critical systems in our lives.

wouldn't it be nice if we could see the relevant part of the server logs when this happens? it would cut down on my paranoia. at least give me an ip address even though it's probably worthless.
Solution in search of a problem or just plain advertising? I rather see banks use some sensible authentication standard (perhaps, not necessarily, 2FA; likely, but preferably not using passwords), then a random for-profit company's product. Yubikeys are first and foremost baffling expensive.
You think YubiKey needs to advertise on a message board for paranoid tech nerds?

nobody just found out about yubikey from this thread...

> a message board for paranoid tech nerds?

Ah, this explains why I feel at home in this community.

Don't worry, you're not paranoid, you're just not missing relevant knowledge, or a mouthbreather.
PS consider dropping Keybase
Thanks for the advice! Had forgotten to remove it from here.
$8-$50 is "baffling expensive"? I think if it protects a few grand in the bank, well worth it. If you don't have a few grand in the bank, I think maybe yeah any non-free 2FA solution becomes "expensive".
Please follow the guidelines for commenting and assume good faith: https://news.ycombinator.com/newsguidelines.html

In particular, 2FA is not a standard but rather a collection of techniques, some of them standards. Yubikeys implement a good number of them. When someone asks a question like this one, I take it to mean "Bank with WebAuthn support", which is in fact a standard, and I'd also like to know if one exists that also lets you selectively disable other weaker factors.

I'm aware that 2FA is not a standard. I meant to write "a standard perhaps, not necessarily using 2FA", but I fumbled the editing. My bad.

And no, here I cannot assume good faith, sorry.

How about modern e-banks like wise and revolut? They have tons of features and generally use mobile app for auth (not exactly same as yubi but way better than SMS)
At Mercury (banking stack for startups) we plan to add WebAuthn as a second factor. This allows Yubikey, TouchID and many other compatible authenticators.
Not YubiKey, but: ETrade (now being acquired by JP Morgan) uses the Symantec VIP hardware token. A quick search for JP Morgan 2FA leads me to believe that JP Morgan uses something similar.

On my ETrade account, I give username and password, then press button on hardware token, get 6-digit TOTP, and append that to the password, then click Login.

Works pretty well, except that linking services such as Plaid don't understand it. Now that Wise (formerly Transferwise) has switched to use Plaid, I have to disable 2FA from my ETrade account, do the transfer in Wise, then enable 2FA again. Works, but a pain.

I use Interactive Brokers for my investments (can also be a checking account since it supports ACH and debit card). They have an app “Ibkr key” feature where you get a push notification to auth.

They also allow different uname/Pword combos with different auth levels. (Enterprise level granularity).

Eg I keep the read-only combo on my phones password manager, a general read/write to investments on my computer, and an “admin” level access (change permissions add banks move money) in offline storage.