Bank with Yubikey support?

Question

Yesterday I got an SMS 2FA text from my bank for a login attempt that I did not trigger. I changed my password, alerted my bank, and have been checking my account balance every few minutes it seems, but luckily everything seems fine.The experience got me thinking, because the SMS 2FA was seemingly the last defense saving my account from a breach. My bank doesn't offer a stronger form of 2FA&mdash;neither TOTP nor any form of U2F.Meanwhile, I really love Yubikeys; I have one plugged into every laptop I own (work and personal). I use Touch ID or Face ID on sites I access frequently from mobile.It seems that the one place where U2F would be really impactful is online banking, but I've struggled figuring out which banks support strong 2FA without first creating an account with the bank.Does your bank offer U2F, FIDO2, WebAuthn or any other form of hardware security token mechanism for logins? Have you had otherwise positive or negative experiences with the bank overall?

lykahb · Accepted Answer

At Mercury (banking stack for startups) we plan to add WebAuthn as a second factor. This allows Yubikey, TouchID and many other compatible authenticators.

GloriousKoji · Answer

The ONLY financial institute I trust with large sums of money and supports yubikey is Vanguard.Also check out the list of works with yubikey, but it's super short and most of them are for crypto: https://www.yubico.com/works-with-yubikey/catalog/?usecase=1...

gshakir · Answer

Bank of America offers it. It works great, but it works only on desktop not on IOS app.

billdietrich1 · Answer

Not YubiKey, but: ETrade (now being acquired by JP Morgan) uses the Symantec VIP hardware token. A quick search for JP Morgan 2FA leads me to believe that JP Morgan uses something similar.
On my ETrade account, I give username and password, then press button on hardware token, get 6-digit TOTP, and append that to the password, then click Login.
Works pretty well, except that linking services such as Plaid don't understand it. Now that Wise (formerly Transferwise) has switched to use Plaid, I have to disable 2FA from my ETrade account, do the transfer in Wise, then enable 2FA again. Works, but a pain.

vineyardmike · Answer

I use Interactive Brokers for my investments (can also be a checking account since it supports ACH and debit card). They have an app “Ibkr key” feature where you get a push notification to auth.
They also allow different uname/Pword combos with different auth levels. (Enterprise level granularity).
Eg I keep the read-only combo on my phones password manager, a general read/write to investments on my computer, and an “admin” level access (change permissions add banks move money) in offline storage.

dzhiurgis · Answer

How about modern e-banks like wise and revolut? They have tons of features and generally use mobile app for auth (not exactly same as yubi but way better than SMS)

ed_db · Answer

Regarding the UK here is a similar discussion on reddit https://www.reddit.com/r/UKPersonalFinance/comments/r7vvcj/w...

toomuchtodo · Answer

Morgan Stanley and BoA.

greenie_beans · Answer

wouldn't it be nice if we could see the relevant part of the server logs when this happens? it would cut down on my paranoia. at least give me an ip address even though it's probably worthless.

RockRobotRock · Answer

I bank with Chase, and their passwords aren't even case sensitive.

guenthert · Answer

Solution in search of a problem or just plain advertising? I rather see banks use some sensible authentication standard (perhaps, not necessarily, 2FA; likely, but preferably not using passwords), then a random for-profit company's product. Yubikeys are first and foremost baffling expensive.