I was just reading vanguard (investment broker) 2FA options and was happy to see it supports yubico keys until I saw the following page that says if you don't have your security key, you can still logon using the security-code method (vanguard text a code to your phone which you then enter into their site). I thought one major advantage of using a hardware key is to prevent sim hijack. By allowing users to logon using a security code, doesn't it just totally destroyed this advantage? Or maybe I'm not understanding how this works. https://investor.vanguard.com/security/security-keys
Yes, you're right to be concerned; attackers have succeeded in account take-over by forcing various account recovery mechanisms or alternative login mechanisms which are pitifully insecure, like SMS or email. A lot of financial providers in the UK have been introducing text code verifications to mobile phones which is fairly rubbish, and not even attempting proper 2FA (going upwards from Totp to U2F and Fido2). My opinion is that the only decent mechanism is the use of Fido and a one time pad you keep paper records of, for recovery purposes. For local client accounts I use a Yubikey and shorter password, but also have an admin account with a long-strong password (not 2FA), which allows recovery in case of key loss.
Very cool that they are offering this! But the way I understood is that you simply never must login from a non registered device, so this also means you don't need to have a security code. So hackers will not be able to login to your account without the Yubico key.
