Hacker News new | past | comments | ask | show | jobs | submit login

Vanguard requires you to enable fallback SMS 2FA before you can enable U2F, which results in a net decrease, rather than increase, in account security.

How does an insecure second factor affect the security of the original factor?

EDIT: apparently the OP meant SMS password reset without requiring the second factor, not SMS 2FA. Of course that's terrible.

> How does an insecure second factor affect the security of the original factor?

If I want to compromise your account, I force fallback and then compromise your SMS. Security is as strong as the weakest link.

I understand that it could reduce your security to the level of one-factor authentication. That's really easy to do. It is not reducing the security below what one-factor authentication provides, like the OP argued it did.

I compromise your SMS. I initiate password recovery, and tell Vanguard "I forgot my password -- but look! It's still me! I can receive SMS challenges!"

That's a SMS password reset mechanism, e.g. one-factor authentication, not two-factor authentication.

That's my point. Adding an SMS number to your account reduces the security of your account to one-factor SMS authentication.

The point here is that if you cannot remove the much lower sms sec then it's no more secure than sms only

How does a wooden screen door on the back of your bank vault affect the security of the vault door?

That analogy doesn't make sense.

It's more like you have a deadbolt and a regular lock. Sure, you can open the regular lock with just a credit card, but that doesn't help you with the deadbolt...

No, because in your scenario, you have to get through the deadbolt AND the regular lock. In the Vanguard scenario, you have to get through the deadbolt OR the regular lock.

That's not what the OP said originally. It's a bit disappointing that people are dispensing security advice without understanding the difference between password reset mechanisms and 2FA mechanisms. :-(

Oops, I see, sorry, you're totally right.

Yeah, I bring this up to them roughly once a year. It's crazy that they don't allow you to disable SMS.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact