I recently set up yubikey 2FA for several of my important accounts. I was dismayed to find that several of them (Vanguard, BofA, etc.) require SMS security codes as a backup.
The most infuriating thing is when you go to the trouble of setting up 2FA and a strong password only to discover that the helpdesk will happily turn off 2FA, change your email, and reset your password if you call them on the phone with a sob story. They won't even send a notification to the old email address telling you that it was changed.
I once had a representative from Vanguard call me, and the first thing he asks me for is my security questions. I responded with "I can't be certain you're actually from Vanguard" and he got really annoyed. He was legit, I called them and got him on the line and we went from there, but it was obvious from the exchange most people just happily oblige their info.
I'd like to use a Yubikey, but too few of the accounts I'd want it on allow multiple concurrent 2FA sources, and since I won't have my Yubikey on all devices/with me 24/7 it gets cut for HOTP/TOTP which I can have in multiple places.
I feel like failure by services to allow multiple 2FA providers concurrently is a common weakness that is rarely criticized.
I use KeePass, so I make it generate a long random string and just put that as the the answer. It has encrypted storage of additional name value pairs, so I can label each string with the appropriate question.
I suggest using diceware or similar random words, not random strings. Humans are typically processing these, not machines. "What's your mother's maiden name" can be answered by "Oh, I just put a bunch of random letters" if someone knows your stance on security questions.
Yes! It should be much harder to convince a CSR who can see your plaintext answers that you're legit and don't know you were born in "Peoria" vs "eH2ochomheeVe6ti".
The point isn’t that you will have an issue using a random string, it’s that attackers who know you do so will be able to convince a customer service rep they are you by answering the question “I just put in some random keystrokes”
Well that would require fairly detailed knowledge about me, but point taken. Not sure how random words are much better though, if the person on the other side is ready to accept whatever.
Remember that your answer to that need not necessarily be accurate. You can invent a 'security city' perhaps and always give that... or just give a randomly generated password that you store alongside in your password locker.
FWIW, having gone through support with Vanguard, they didn't even acknowledge that they were random strings when I said they would be. They seemed well trained, at least the one I spoke with.
It's interesting to hear they even support that form of 2FA. Few services outside of Silicon Valley in my experience don't support Yubikey or TOTP besides for enterprise, probably because they either don't understand it themselves or think it will confuse and scare off their customers.