For years, every time I turned on MFA on my Google accounts, within weeks, I'd be turning it off because of some issue with authentication, or needing to use my account on a device while traveling. The gold standard, of course, was a security key, but those are expensive, and I was doubtful as to whether or not they'd do any good. You'd need at least 2, so you always had one as a backup.
Over the Christmas holidays, there was a deal that got me 2 Yubico NFC keys for $26 shipped, which was a fantastic deal. These are the right kinds, because while traveling you're most likely to need the USB-A, and if you're bringing a laptop with only USB-C ports, you can also bring a USB-C to USB-A dongle, while the reverse dongle isn't easy to get.
My first impression registering the key with Google accounts was fine. With Facebook, if you already have MFA setup, you can't replace it with the key, which is annoying as heck. I was extremely disappointed when I discovered that all banks I used didn't allow the use of the key, and of my brokerage accounts, only Vanguard allowed the registration of the key. As always, Vanguard has the best IT of all the financial institutions, and if you care about security, they're the only people who deserve your business. Even then, to my surprise when I tried to logon to Vanguard with my phone's web browser (Chrome or Edge, it doesn't matter), the browser fell back to insecure SMS instead of using the NFC security key feature, so I'm not sure how much security this even buys you!
Having 2 keys mean you can have one tied to your key ring, and another in your wallet, or give one to your wife when traveling. The device seems robust, and if only Amazon allowed you to force the use of it, my kids would be prevented from buying themselves presents. For a low security person like me (not a target of state actors), this device is overkill, but it's been 2 months since I got one and I haven't wanted to turn it off yet, so it's not horribly inconvenient (yet! During COVID19 I'm not traveling!). I wouldn't recommend this at full price, and adoption amongst the majors (Amazon and Facebook in addition to most banks) is so abysmal I'm not sure what this gets you. I wouldn't recommend it for most people --- it's lack of use for the most important stuff (banks! money!) seems to indicate that you're better off using a regular MFA app (I recommend Microsoft Authenticator) than trying to use this fiddly crap.
No comments:
Post a Comment