websites that allow hardware token bypass. (SMS backup)

[zee0]

i'm looking specifically at the entry for vanguard, which has the hardware token column checked. it has an exception icon stating the following, but i'm not sure it is enough:

Hardware based 2FA requires SMS / Phone call 2FA as a backup. Hardware 2FA is only supported on Chrome browsers and works with the following hardware keys: Yubikey 4 Series, YubiKey 5 Series, Yubikey Security Key Series.

this is misleading as vanguard's policy requiring SMS as a 2FA backup means that the hardware token is always able to be bypassed. as such, i don't think they should be getting credit for having hardware tokens.

if it were up to me there would be a big red x in that column stating that their implementation was misconfigured and potentially dangerous.

[drahamim]

This sort of applies to Kickstarter as well. They don't have Recovery Codes as a backup to the soft token. The backup is SMS. (maybe also email but I can't be sure about that)

[phallobst]

Websites like these offer the convenience of having hardware tokens without the security.

We already had a discussion regarding a score (A-F) considering the available 2FA methods of a given website. A weak fallback like SMS (that is always available) would automatically result in a lower grade.

[zee0]

that sounds like a good compromise.

i would point out though that convenience is subjective. the folks i know that don't use security keys do so because using SMS (or TOTP) is more convenient than purchasing and keeping a security key safe.

[kilimar]

Vanguard seriously needs to cripple their convenience factor... today I learned that Vanguard doesn't use any REAL authentication (even if you setup 2FA email, SMS, token). All the website needs are five pieces of information and it will replace your user name and password with a new one. The five pieces of information:

• first & last name
• SSN
• DOB
• zip code
• account number

The first four ....hello Equifax data breach. The last can be obtained by .. for whatever reason, accidentally or otherwise posted your account number online (or a separate breach with name + account number) or.... dumpster diving.

With those 5 pieces of information, I was able to change my user name and password; no security questions, SMS, or token required.... I did get an email about 10 minutes later:

Thank you for restoring your access to vanguard.com on 03/12/2020. As you know, our secure website lets you monitor all your accounts and conduct most transactions online.

I will be moving my retirement monies to another company.