Re: Everyone is special, SMS-Based Multi-Factor Authentication

(John and I chatted a little offline about some of this) Unfortunately, at
least insofar as I can see wandering around within my Vanguard account and
talking with Vanguard support, Vanguard does NOT use ONLY whatever 2FA you
have configured; Vanguard REQUIRES a mobile phone, and literally says at the
security key login prompt page "If you don't have your security key, you can
always request a security code".  In other words, as I said initially,
Vanguard (like BoA) lets you buy and set up a physical security token, but
also always allow you to bypass it - making the physical security token of
exactly zero real security value.

I checked in with John about it and he also found the "would you like to
bypass the real user's strong security and use weak security that you can
attack?"  prompt by Vanguard. (eyeroll)

John then observed: >Ugh, you're right.  Vanguard are pretty sophisticated
so I would guess they think that it is a lot more people who forget their
passwords than who get SIM swapped.

Undoubtedly true, though the fallibility of the average user shouldn't mean
that we godlike security people have to accept less security than we're
willing to hamstring ourselves with ... (insert "eye roll" emoji here,

John continued:
>I also wonder if they have different security for different sizes of

Sadly, nope. My parents have one of those "bigger size" accounts, and I've
spoken directly with their named Vanguard representative, who couldn't come
up with anything else/better (and, when pressed, never responded at all...
very disappointing). (Though, as John also noted, maybe in the millions and
millions and ... size accounts? Dunno. Shouldn't have to be in the top 1% to
have adequate security !)

Lastly, in response to the newer comments about why 2FA really is necessary,
about the recent hacks of LastPass, while those hacks are serious, they
don't in the near-term make a secured-with-a-strong-unique-password account
directly vulnerable (the vaults that were stolen remained encrypted, so if
the LastPass master password was good, there's still a practically safe
amount of time before a vault could be brute forced). But, yes, still - 2FA
is unfortunately NEEDED now for ... basically everything.  (And, then, yes,
adequate, at least as safe recoverability for when 2FA fails, is also