[bogomipz]

I have a tangential question about 2FA since there's been a couple of articles recently on HN about U2F/FIDO/2FA. Is there a reason almost no banks offer 2FA?

I really seems absurd that in 2018 a person's gmail/dropbox/github etc has better security practices than an online bank account.

EDIT. Some people assumed this was a US-centric question/perspective. If you look at this list. The number of checks for banks offering either hardware/software 2FA is pretty dismal:

https://twofactorauth.org/#banking

[probably_wrong]

I can't speak for the US, but most European banks I've seen require 2FA for almost any non-read-only action. You need either an app, or a tiny machine that authenticates against your (chip) debit card.

Login is still just password, though, but there's only so much damage you can do.

[zkms]

> I can't speak for the US, but most European banks I've seen require 2FA for almost any non-read-only action. You need either an app, or a tiny machine that authenticates against your (chip) debit card.

I have multiple US bank accounts and none of them have anything approaching that, it's kind of pathetic.

[helper]

Vanguard supports U2F.

[ThrustVectoring]

Note that Vanguard requires you to enable SMS two-factor authentication first. Security is only as strong as the weakest link - even if you use U2F for the security challenges, an attacker can still hijack your phone number and use that to answer the challenge.

It's still a good sign, but not good enough IMO. Unfortunately other places aren't any better.

[ztjio]

In theory, if you're worried about SIM hijacking, you could use something like Skype SMS, and secure your access to Skype by 2FA on the associated Live account.

Perhaps there are services to choose from as well, but, I'd take great care in determining trust here.

[cbhl]

I was under the impression that Vanguard's U2F fails open if your password is over eight characters long. Is that still true?

[helper]

This is not true.

[icebraining]

No, there's no reason. CAP has been around for over a decade, and my bank has supported that and/or SMS as 2nd factor since at least 2008.

https://en.wikipedia.org/wiki/Chip_Authentication_Program

[smacktoward]

American Express provided something similar to this with the first iteration of the Amex Blue card, though the implementation details were probably different since that was back in the early 2000s. They gave each cardholder a card reader that plugged into your PC, along with other handy stuff like software that could generate one-time use card numbers linked to your account. It was all pretty whizzy, though Amex dropped it like a hot rock when it failed to get much traction.

[bogomipz]

How does CAP provide protection when logging into your bank account online?

[icebraining]

You get a device (like those in the pictures), which you then connect to your computer, and insert your debit card. When you do an online operation (e.g. bank transfer), the bank site requires the transaction to be digitally signed by your card (and which requires your PIN).

[bogomipz]

Ah OK I didn't look closely enough as I thought the picture were of POS terminal devices. I was confusing CAP with "chip and pin" - the tech used inside debit cards.

[icebraining]

It is chip and pin :) it's the same cards, just not a POS device.

[ghthor]

That's sick, and also what I want out of the open crypto networks.

[whitepoplar]

My guess is that it's related to support costs. If you lose your hardware key and fail Google's automated account recovery, that's a feature! If you lose your Dropbox hardware key, I'm guessing they have a proprietary recovery procedure that's not regulated by a government. If you lose a key that's associated with your bank account, that bank by law must still give you access to your account, and support costs to do that are likely higher than the systems they already have in place. Or maybe it's just hard to add this to aging infrastructure held together by duct tape, dunno.

[thezilch]

Why do many US banks and CUs have bad password hygiene? Length limits (and really short ones)? Character restrictions? Makes you really think how bad the tech behind it all is protecting your security.

[bogomipz]

And of course many(most?) still use security questions - "whats your favorite food?", "what was the name of your first employer" etc.

[SomeHacker44]

I use Fidelity (in the US) because they have a TOTP implementation. Its unfortunately Symantec VIP and not Google Authenticator standard so I need yet another app, but it gives me some extra security and I am happy with it. PayPal can also use the same authenticator, in lieu of the known broken SMS.

[ec109685]

I wish banks just got out of the business of logins and let you SSO through a Gmail or another provider that has 2FA support.

[nrhodes]

Charles Schwab supports authenticator codes with Symantec VIP, or they'll send you a hardware token that generates codes.