Forward all "fishing" attempts to abuse@usaa.com I get them almost weekly now. First hint: Member number msiing in upper right corner. Contact information missing on bottom of email. Otherwise, they look pretty convincing. Never click any link and delete right after forwarding!

I would appreciate a collaborative approach involving information sharing when such an email Is forwarded. A response indicating the actions taken, source IPS, or as close to source as could be identified, and the precise purpose and techniques being used should we have fallen for it rather than forwarded to abuse. Even just a response with an ID that categorizes your phish into a group of the exact same ones reported and a smaller central database accessible to USAA members would work. As they say, knowledge is power, and this type of information could be used to help protect others and allow knowledgeable USAA members to investigate with that information in a crowd sourced type of way that would provide more resources than would be reasonable for USAA to supply on its own. Thoughts? Roadblocks?

I already do multifactor authentication using my cellphone. However, an even stronger authentication is possible using a physical security key like Yubikey that uses FIDO2 or U2F public standards. These keys are nearly foolproof and extremely easy to use. I already use a security key for one of my other financial institutions. Does USAA plan on supporting these keys anytime in the near future?

Like DewClaw, I'm interested in knowing if adoption of YubiKey is on USAA's roadmap ?

@Keni,

Thanks for your comment. We absolutely appreciate your partnership and support in using multifactor authentication. USAA believes this is the best approach in preventing fraud. While we don’t have a FIDO option for our members, we are continuously exploring new, enhanced methods to bridge security and simplicity together. Thanks again for your input.

@Jasg27, Thank you for your comment, I have reached out to the Security team with your suggestions.

Seems like getting a code in a text message would be even stronger than a PIN?

USAA previously implemented MFA with a stand-alone app that generated a one time PIN. That's been replaced with a pin generator buried deep in the USAA app or with a text message. The former is very inconvenient and the latter the least secure method of all. Does USAA have plans to improve the functionality of the app and do away with texts? USAA used to be a technology leader. This is a huge step back. It seems to me that using an existing authenticator such as Authy would be an immediate improvement. 

I agree with Jasg27 regarding information sharing. When I forward a phishing email, I'd like to know what USAA's next steps are, if any.

I'm proud that USAA has led the financial industry in supporting interfaces to crypto exchanges (Coinbase).

Now please, please, observe the strong lessons learned in the crypto world that "SMS 2FA" (sending passcodes via text messages) is not very secure at all, due to the ease of a SIM port hack at the cell phone provider. USAA should use Google Authenticator instead which is a good intermediate and practical step before going all the way to hardware keys--which would also be a good idea to offer for high value accounts.

Just google "why sms 2fa is bad" for many articles on this topic, such as https://medium.com/coinmonks/the-most-expensive-lesson-of-my-life-details-of-sim-port-hack-35de11517...

Sorry, but I am confused......don't we use PIN plus "coin" already on the computer.....and what about using our phone?

His point is logical. My hesitancy in using 2-factor authentication is whether the cell or your email; it will mean more SPAM in your life. There is not honesty or transparency in what the recipient will do with the additional contact information. Next thing you know, you are getting TEXTs, CALLS, and emails on offers or other harassments you just do not want to see; worse yet that information is given to "Partner" or sold. Once out there, you can not get it back. Perhaps like, changing our password periodically, we need to change emails and cell numbers.

Not Paranoid, just tired of the junk-messaging- it is all just more noise in one's life.

I appreciate the product- not the marketing.

Yubikey Please....

Do you have any suggestions for free security apps you can load on phone, iPad and computer? 

Thank you all for your comments and questions!

I reached out to Mike Slaugh from USAA's Financial Crimes Prevention and he gave me a few additional details to share:

FIDO: We are also excited about the capabilities that the FIDO standards, specifically U2F, will provide. USAA is a member of the FIDO alliance and we have a seat on the board. It is in our roadmap to support the FIDO U2F standard, which will enable the use of security keys like the Yubikey. We understand that this capability is important to our security focused members and we ask for your patience as we work through some of the prerequisites.

Security Token: USAA supports Symantec VIP access security tokens when logging into usaa.com. These tokens include a standalone mobile app, a physical token and a token embedded within the USAA app. We do not yet support google authenticator but are planning to add that support in the future. If you prefer a mobile app to generate a temporary passcode, then download the Symantec VIP access app and set it up under the Cybercode Token section of your Profile & Preferences section on usaa.com.

OTC via SMS: We are aware of the articles outlining the challenges of sending one time codes via SMS, however we maintain that OTC via SMS is still better that only using a password. For those interested in a higher level of security than what SMS provides, we recommend using the CyberCode token login options that are available through the Profile & Preference section on usaa.com.

Thanks again for commenting!

@Bev16 

USAA recommends using antivirus software, a password manager and Multifactor authentication, but doesn't have a specific software recommendation.

I hope other members chime in and share their favorite applications and software choices. Thank you for posting!

Password Manager: We strongly recommend 1Password . When we first started using it, it was the only manager we could find that did not store paswords in the cloud. We love it. The 1Password folks are continually improving the product, and they are extremely transparent in their release notes about what has changed, and what is in the latest beta release.

Thanks for sharing @NC_hiker !

There are 3 of us using the account.  I for one unless I am on my tablet can't access my email as my phone doesn't have enough memory for my email app. I am having to add 2 more email address to my profile so the other 2 can have access. We already have 2 pages to do before logging in.  I do appreciate the quick response in sending the codes. I do have another suggestion let the new code last 24 hours or something.  

How long until you support U2F. I see it's on the roadmap but really this is needed as SMS is inheritantly weak.

Hi @StudioParable, Thank you for taking time to post and share your desire for U2F support. I am going to ask to see what the roadmap timeline looks like. Thanks again and have a happy Thanksgiving!

I too would _love_ U2F support, Yubikey in speciffic.

Thank you for taking the time to comment @_XM .

I will keep this thread updated when there is progress made!

Adding my vote for Yubikey or similar physical token. Already looking at VPN for security/privacy when traveling, but a physical token for banking/financial applications would give me even more peace of mind.

Thanks for everything you do.

Recently I acquired a couple of yubico 2-factor keys and a google titan U2F key.  When will USAA begin to allow me to use these keys for multi-factor authentication?

Thanks for commenting @Slim254 . I will see what kind of updates I can get! Thanks in advance for your patience as I track the answer down.

I'm aslo following up with the Yubico question.  I'd like to use my Yubikey for MFA. It's been about 2 weeks, any significant findings or updates?

This article is old but I'd like to know what plans USAA has for continued improvement of their security posture around multi-factor authentication. Two-factor authorization (2FA) in general is good. Text/SMS as 2FA is bad. There are multiple reported security breaches (from as far back as 2013 when CloudFlare was breached!) and many strong arguments that outline how SMS is not a secure medium for 2FA - It is not encrypted, it is spoofable, it is interceptable.

Better alternatives to 2FA SMS include: software authentication (Google Authenticator, SecurID, Microsoft Authenticator, USAA's CyberCode token, etc.) and hardware authentication (Yubikey, Google Titan, etc).

Sources:
- Cloudflare breach: https://dcid.me/notes/2013-apr-19.html

- Why 2FA SMS is a Bad Idea: https://blog.sucuri.net/2020/01/why-2fa-sms-is-a-bad-idea.html 

- Princeton Study - SIM Swap Attacks: https://www.techspot.com/amp/news/[removed sensitive data]-princeton-study-shows-us-carriers-do-litt... 

- Why you should not use 2FA SMS: https://www.androidpolice.com/2019/06/17/cautionary-tale-hackers-hijack-phone-number-break-into-mans... 

+1 for U2F/Yubikey

Please hurry up and allow us to use yubikey.

USAA Should be the leader in security for the accounts of service members stationed around the world. Please show your support for us by introducing this feature.

Hello @komobu, Thank you for your post. Our Website Support Team can address online security concerns at 210-531-8722 "technical support" 

Have a great weekend. ~ Lori C

@Briana Hartzell USAA did you ever find out anything when you inquired about the FIDO2/yubikey progress? I was excited to hear that this was on the roadmap.

Agree that it's well past time to implement MFA.  Not sure that the proposed solutions are adequate or workable.  You might want to consider adding an option for a one-time code, which is pushed to the account holder via phone call (not text).  One of the investment firms with which I have a substantial account already does this, and it works great.

Apps and text messages only work if you have one of those smart-phones and its associated expensive data plan.  Email works fine, but only if I'm sitting at my computer.  Biometrics require additional hardware which costs money, are not practical away from home, and (in my experience) are less than reliable.

So what happens when the USAA customer needs to access his account, away from home?  This exact situation occured to me in 2020 BC (Before COVID).  I was almost 1000 miles from home, and despite having the travel alert authorized, USAA disallowed a transaction on my credit card.  It took almost 20 minutes to reach a human customer service representative.  Fortunately I was carrying some emergency cash, which allowed me to fuel-up and get back on the road.  With MFA as it is currently envisioned by USAA, I would be stuck -- no text capability, no email capability, no biometrics.  And no customer service rep.

Good intentions, but needs some additional thought.

I'm here searching for information about how I might be able to use Yubikey for authentication for USAA.  As I get more security conscious, I'm concerned about how I've re-used passwords and can't remember them for sites I've used, etc.  I purchased a Yubikey and I'm learning how to use it in the hopes of improving my security, and of course, banking would be an area where security is paramount.

@ScoJay, thank you for reaching out. At this time we do not have any updates regarding the use of Yubikey for authentication for USAA. You may find additional helpful information regarding protecting your accounts at our Security Center at http://USAA.com/securitycenter. You may also contact our website customer support at 877-632-3003. Thank you. - Robyn

Does CyberCode Token authentication use TOTP (RFC 6238) codes?  I'm considering using this two-step authentication method for USAA but don't want to download yet another authenticator app (Symantec).  TOTP is supported by Google Authenticator, Authy, Yubico Authenticator, to name a few.  Basically, I'd like to get a QR code or the equivalent string to put into an existing TOTP generator.  Thanks!

Another vote for YubiKey/hardware key support. Text messages for 2FA are not as secure. 

Thanks @7Dave7,

I'll make sure your feedback is shared. Thank you for taking the time to post. 

I too would find the additional security option to use my Yubikey for USAA 2FA authentication very beneficial.  Please add my vote for Ybukey 2FA.

So let's get this straight...USAA took credit for being a cybersecurity prioneer two and a half years ago and there has been no visible change or progress in this area.  Can't believe there is still no security key (e.g., Yubikey or Titan) yet.  Stop funding commercials and sponsoring football games and get on with the buisiness of supporting customers!  USAA has lost its way in so many areas.  This is just another one... Let's get back in the game USAA!

The texts to the phone are cool.... and so is Quick Access. But everyone that gives an iota of concern about their security are moving to physical 2FA keys (aka Yubikey & others).

It is 2021. Are there any updates on USAA starting to support modern 2FA methods? I can secure my Amazon account better than I can secure my USAA account. The current 2FA options would have been inadequate a couple of years ago. They're negligently outdated today. Yubikey support or get outta here. 

+1 for YubiKey support.

How many users will need to come here and request it before support for hardware keys is added? Please and thank you.

Just chiming in to voice support for U2F/FIDO 2FA support. USAA is currently the only financial institute I do business with that doesn't support U2F, and will likely leave in the near future for a more secure banking solution unless it's added.

I have phoned multiple times to describe a significant security concern I have.  Each time, I have been promised that my concern would be escalated.  Some years back, someone "social engineered" a USAA call center rep.  This person knew my name, my USAA #, and my wife's name and birthdate.  They knew enough to get the call center rep. to reset my password and let them into my portal account.  After that experience, I learned that I could set up the Symantec VIP authenticator app (which works well, and I continue to use it today).  I also set up the VIP authenticator so that even when I call to speak with a USAA call center rep., they cannot access my account until I provide them with the rolling security code from my VIP app.   This is the security I want and that we all deserve.   But I have discovered that this can be bypassed easily, and the system defaults to an SMS-delivered security code, which many here before me on this thread have complained is not secure.

I respect that many users will not tolerate the inconvenience of stronger security, so USAA—like every other company—must find a way to balance its customers' preferences.  We should be given the CHOICE to select the level of security challenge we prefer.  I'm certain that everyone who knows what a Yubikey is to begin with also knows the risks if they lose or misplace that key, so they'll have a backup key.  This is simply the "cost" of online security today.  It's hard for consumers, and it's hard for USAA, but it's too important not to address. 

I have been a USAA member for over 30 years and have seen USAA show its online technology leadership in many ways throughout that period.  But I am frustrated and disappointed to have seen its commitment to member security be largely neglected in the last 5 – 10 years.  This is unacceptable.  The technical challenges are certainly significant to remediate all of the legacy code throughout the whole USAA application ecosystem and ensure seamless operation across applications and lines of business.  I get it.  But the 2018 – 2021 (soon 2022!!) lifespan of this topical thread without movement on the roadmap is a bad look. 

Member loyalty only goes so far.  The stakes are much too high for a financial institution to short-circuit a failed "strong" authentication by just dropping back to a weak one.  Please ensure the Office of the CISO is made aware of this flaw ... and my profound frustration. 

Hello @Jay_S, I understand the seriousness of the situation. I have located your information and will engage a specialist to review the details. Thank you for speaking up today. ~Sarah 

+1 for hardware tokens, especially Yubikey.  For a variety of reasons, I trust Yubikeys far more than Symantec VIP.  There is a learning curve with Yubikeys (i.e. everyone knows how and why to maintain a backup Yubikey, right??), but for those of us who are past that learning curve, there's really nothing better.  FIDO tokens are the gold standard in security.

Every year I have come back to the USAA community forums to check on the status of U2F support as I have been replying to a long standing thread (which started in 2016). Only to find-out today that it was deleted. 

This thread is currently one of only two that mention U2F support for hardware tokens like the Yubico.

So I wouldn't hold your breath on this support EVER coming to USAA. It's pretty clear they don't want support it! They will constantly talk about improving security. But they are seemingly actively deleting threads about using the most secure solution.

Since I have been watching for USAA to support this for years, I have scaled back my use of USAA's services. I had originally planned on switching over to USAA as I primary bank. But the lack of U2F is the primary reason I have not done so. 

@Zetsubo, 

If you add Fido to the search option, this thread is still there. We do not delete threads unless they go against our posting guidelines. 

Our Website Support team is the correct area to assist you with login solutions. They can be reached at 210-531-8722 "technical support" when prompted. 

I will forward your concerns to the appropriate area. 

~ Lori C

Hi @Zetsubo 

I have answered you other comment here. But wanted to add it here to ensure you see it.

Thank you for your comment. 

I wanted to follow up about your original posting on U2F. Posts in community with no comments in the last 365 days, are archived- I can see your original thread has been archived. 

I have started an inquiry with the team involved with your feedback and I am working to get an update for you on the status of yubico and USAA's U2F road map. 

Thanks for your feedback and for allowing me time to get answers for you. 

Following up ... Still nothing in response to the concerns I raised in this thread in December.  Also, still complete silence on a roadmap commitment for FIDO2 (U2F) support.  Update please?