undefined | Better HN

0 pointsguinea-unicorn2y ago0 comments

I find it funny how MFA is treated as if it would make account takeover suddenly impossible. It's just a bit more work, isn't it? And a big loss in convenience.

I'd much rather see passwords entirely replaced by key-based authentication. That would improve security. Adding 2FA to my password is just patching a fundamentally broken system.

0 comments

ryukoposting2y ago

Customer service at one of my banks has an official policy of sending me a verification code via email that I then read to them over the phone, and that's not even close to the most "wrong" 2FA implementation I've ever seen. Somehow that institution knows what a YubiKey is, but several major banks don't.

eairy2y ago

I'm security consultant in the financial industry. I've literally been involved in the decision making on this at a bank. Banks are very conservative, and behave like insecure teenagers. They won't do anything bold, they all just copy each other.

I pushed YubiKey as a solution and explained in detail why SMS was an awful choice, but they went with SMS anyway.

It mostly came down to cost. SMS was the cheapest option. YubiKey would involve buying and sending the keys to customers, and they having the pain/cost of supporting them. There was also the feeling that YubiKeys were too confusing for customers. The nail in the coffin was "SMS is the standard solution in the industry" plus "If it's good enough for VISA it's good enough for us".

ryukoposting2y ago

Interesting. I assumed a lot of client software for small banks was vendored - I know that's the case for brokerages. Makes it all the weirder that they all imitate each other.

Here's the thing about SMS: your great aunt who doesn't know what a JPEG is, knows what a text is. Ok, she might not fully "get it" but she knows where to find a text message in her phone. My tech-literate fiancée struggles to get her YubiKey to work with her phone, and I've tried it with no more luck than she's had. YubiKeys should be supported but they're miles away from being usable enough to totally supplant other 2FA flows.

heyoni2y ago

But why won’t banks at least support customer provided yubikeys?

mulmen2y ago

> But why won’t banks at least support customer provided yubikeys?

> support

You answered your own question.

1 more reply

intelVISA2y ago

Banks loathe anything relating, or adjacent, to good SWE principles.

ryukoposting2y ago

I'd guess part of the reason is that customers would blame the bank when their YubiKey doesn't work, which would become a nuisance for them as much as the YubiKey's usability issues are a nuisance for the customer.

jalk2y ago

Bank of America supports user purchased TOTP devices.

https://www.bankofamerica.com/security-center/online-mobile-...

rainbowzootsuit2y ago

Brokerage, not bank, but you can do Yubikey-only at Vanguard.

https://www.bogleheads.org/forum/viewtopic.php?t=349826

eru2y ago

Because it's extra hassle?

mlrtime2y ago

The largest US crypto brokerages/exchanges support yubikey.

Some will provide and require them for top customers to ensure they are safe.

dalyons2y ago

I mean your employer wasn’t wrong. Yubikeys ARE way too confusing for the average user, way too easy to lose, etc. maybe have it as an option for power users, but they were right it would be a disastrous default.

Liquix2y ago

Financial institutions are very slow to adopt new tech. Especially tech that will inevitably cost $$$ in support hours when users start locking themselves out of their accounts. There is little to no advantage to being the first bank to implement YubiKey 2FA. To a risk-averse org, the non-zero chance of a botched rollout or displeased customers outweighs any potential benefit.

monksy2y ago

They're pretty terrible when they do.

For the longest time the max password size was 8 characters and the csr knew what your password was.

Heck I've had Chase security tell me they'd call me back.. dude that's exactly how people get compromised.

biglost2y ago

A friensd bank, hopefully not the one i use, only allow a password off 6 digits. Yes You read it right, 6 fucking digits to login, i hace him the asvice to run away from that shitty bank

1 more reply

doubled1122y ago

Exactly. 8 character password in the 2010s as the only factor was fine. It was only my money we're talking about.

Now I have to wait for an SMS. Great...

throwaway29902y ago

SMS is fine on most countries. It’s just America is dumb and allows number transfers to anyone.

6 more replies

darkr2y ago

> There is little to no advantage to being the first bank to implement YubiKey 2FA

Ideally they’d just implement passkeys (webauthn/fido). More secure, and it works with iOS, android, 1password, and yubikeys

grepfru_it2y ago

Uh many banks provide MFA. And secure with hardware keys. It’s just that your level of assets doesn’t warrant that kind of protection.

Source: worked at all the major banks, all the wealthy clients use hardware MFA

wsc9812y ago

The bank I used in The Netherlands provides a MFA device as well. The device requires an ATM card as well to generate a random number.

This is the default for all their customers, wealthy or not.

https://www.abnamro.nl/en/commercialbanking/internetbanking/...

1 more reply

heyoni2y ago

They’re a bank. If they can secure their portals with hardware keys, at least allow customers to onboard their own keys.

LtWorf2y ago

My bank gave me an hardware token to protect my 5k€ account.

Get better banks people :)

1 more reply

gonzo412y ago

Banks are in a tough spot. Remember, banks have you as a customer, they also have a 100 year old person who still wants to come to the branch in person as a customer. Not everyone can grapple with the idea of a Yubikey, or why their bank shouldn't be protecting their money like it did in the past.

codedokode2y ago

The problem is that the bank will automatically enable online access and SMS-confirmed transfers for that 100 year old person who doesn't even know how to use Internet.

krinchan2y ago

Just say BofA.

snnn2y ago

Not actually. Even if you enabled passkey, you still can login to their phone app via SMS. So it is not more secure. People who knows how to do SMS attacks certainly knows how to install a mobile app. And BofA gave their customers a fake assurance.

hangonhn2y ago

yeah someone replied to one of my comments about adding MFA that an attacker can get around all that simply by buying the account from the author. I was way too narrowly focused on the technical aspects and was completely blind to other avenues like social engineering, etc.

All very fair points.

1 more reply

fsckboy2y ago

>I'd much rather see passwords entirely replaced by key-based authentication

I've never understood how key-based systems are considered better. I understand the encryption angle, nobody is compromising that. But now I have a key I need to personally shepherd? where do I keep it, and my backups, and what is the protection on those places? how many local copies, how many offsite? And I still need a password to access/use it, but with no recourse should I lose or forget. how am I supposed to remember that? It's all just kicking the same cans down the same roads.

AgentME2y ago

Passkeys are being introduced right now in browsers and popular sites like a MFA option, but I think the intention is that they will grow and become the main factor in the future.

riddley2y ago

From what I've seen they're all controlled by huge tech companies. Hard pass.

doubled1122y ago

I liked the username, password and TOTP combination. I could choose my own password manager, and TOTP generator app, based on my preferences.

I have a feeling this won't hold true forever. Microsoft has their own authenticator now, Steam has another one, Google has their "was this you?" built into the OS.

Monetization comes next? "View this ad before you login! Pay 50c to stay logged in for longer?"

3 more replies

AgentME2y ago

I don't understand this criticism. What is being controlled? Passkeys are an open standard that a browser can implement with public key crypto.

1 more reply

pabs32y ago

KeepassXC is working on supporting them natively in software, so you would not need to trust big tech companies, unless you are logging into a service that requires attestation to be enabled.

SahAssar2y ago

Password managers are adding support (as in they control the keys) and I've used my yubikeys as "passkeys" (with the difference that I can't autofill the username).

It's a good spec. I wish more people who spread FUD about it being a "tech-giant" only thing would instead focus on the productive things like demanding proper import/export between providers.

1 more reply

pabs32y ago

They also require JavaScript to work unfortunately.

apitman2y ago

https://xkcd.com/538/

j / k navigate · click thread line to collapse

0 comments

ryukoposting2y ago

eairy2y ago

I pushed YubiKey as a solution and explained in detail why SMS was an awful choice, but they went with SMS anyway.

ryukoposting2y ago

Interesting. I assumed a lot of client software for small banks was vendored - I know that's the case for brokerages. Makes it all the weirder that they all imitate each other.

heyoni2y ago

But why won’t banks at least support customer provided yubikeys?

mulmen2y ago

> But why won’t banks at least support customer provided yubikeys?

> support

You answered your own question.

1 more reply

intelVISA2y ago

Banks loathe anything relating, or adjacent, to good SWE principles.

ryukoposting2y ago

jalk2y ago

Bank of America supports user purchased TOTP devices.

https://www.bankofamerica.com/security-center/online-mobile-...

rainbowzootsuit2y ago

Brokerage, not bank, but you can do Yubikey-only at Vanguard.

https://www.bogleheads.org/forum/viewtopic.php?t=349826

eru2y ago

Because it's extra hassle?

mlrtime2y ago

The largest US crypto brokerages/exchanges support yubikey.

Some will provide and require them for top customers to ensure they are safe.

dalyons2y ago

Liquix2y ago

monksy2y ago

They're pretty terrible when they do.

For the longest time the max password size was 8 characters and the csr knew what your password was.

Heck I've had Chase security tell me they'd call me back.. dude that's exactly how people get compromised.

biglost2y ago

A friensd bank, hopefully not the one i use, only allow a password off 6 digits. Yes You read it right, 6 fucking digits to login, i hace him the asvice to run away from that shitty bank

1 more reply

doubled1122y ago

Exactly. 8 character password in the 2010s as the only factor was fine. It was only my money we're talking about.

Now I have to wait for an SMS. Great...

throwaway29902y ago

SMS is fine on most countries. It’s just America is dumb and allows number transfers to anyone.

6 more replies

darkr2y ago

> There is little to no advantage to being the first bank to implement YubiKey 2FA

Ideally they’d just implement passkeys (webauthn/fido). More secure, and it works with iOS, android, 1password, and yubikeys

grepfru_it2y ago

Uh many banks provide MFA. And secure with hardware keys. It’s just that your level of assets doesn’t warrant that kind of protection.

Source: worked at all the major banks, all the wealthy clients use hardware MFA

wsc9812y ago

The bank I used in The Netherlands provides a MFA device as well. The device requires an ATM card as well to generate a random number.

This is the default for all their customers, wealthy or not.

https://www.abnamro.nl/en/commercialbanking/internetbanking/...

1 more reply

heyoni2y ago

They’re a bank. If they can secure their portals with hardware keys, at least allow customers to onboard their own keys.

LtWorf2y ago

My bank gave me an hardware token to protect my 5k€ account.

Get better banks people :)

1 more reply

gonzo412y ago

codedokode2y ago

The problem is that the bank will automatically enable online access and SMS-confirmed transfers for that 100 year old person who doesn't even know how to use Internet.

krinchan2y ago

Just say BofA.

snnn2y ago

hangonhn2y ago

All very fair points.

1 more reply

fsckboy2y ago

>I'd much rather see passwords entirely replaced by key-based authentication

AgentME2y ago

Passkeys are being introduced right now in browsers and popular sites like a MFA option, but I think the intention is that they will grow and become the main factor in the future.

riddley2y ago

From what I've seen they're all controlled by huge tech companies. Hard pass.

doubled1122y ago

I liked the username, password and TOTP combination. I could choose my own password manager, and TOTP generator app, based on my preferences.

I have a feeling this won't hold true forever. Microsoft has their own authenticator now, Steam has another one, Google has their "was this you?" built into the OS.

Monetization comes next? "View this ad before you login! Pay 50c to stay logged in for longer?"

3 more replies

AgentME2y ago

I don't understand this criticism. What is being controlled? Passkeys are an open standard that a browser can implement with public key crypto.

1 more reply

pabs32y ago

KeepassXC is working on supporting them natively in software, so you would not need to trust big tech companies, unless you are logging into a service that requires attestation to be enabled.

SahAssar2y ago

Password managers are adding support (as in they control the keys) and I've used my yubikeys as "passkeys" (with the difference that I can't autofill the username).

It's a good spec. I wish more people who spread FUD about it being a "tech-giant" only thing would instead focus on the productive things like demanding proper import/export between providers.

1 more reply

pabs32y ago

They also require JavaScript to work unfortunately.

apitman2y ago

https://xkcd.com/538/

j / k navigate · click thread line to collapse