[Vanguard - Unauthorized attempts to access account, change email]

[goodenyou]

Why does it matter if you get a text that tells you that YOU are attempting to login and you have typed the wrong password? The point is that if you are trying to login, you know it. You will get a text and say “yeah, that’s me. I keep typing the wrong password”. If it’s not you, you will know someone is trying to access your account.

What action are you going to take if someone else types your username and their password? Vanguard does NOT want you to call them if this happens.

If I receive a text that says multiple attempts to log into your account were unsuccessful, I think Vanguard would be happy that I didn’t mistakenly also give information that created fraud.

The information of fraudulent attempts needs to be conveyed immediately.

[scarcely]

Again, username can be retrieved same process as pwd reset. Unique username irrelevant.
. . . .

That statement is not always true. When i tried, i was unable to retrieve my username via the pwd reset process. I got blocked by my security question before it displayed the username.

Great thread-- I've changed my username as a result of this. In addition to the various recommendations about using unique 20-character random passwords (password managers are very useful... I use 1Password and it makes this easy to do), this might be a good time to remind folks that you should NEVER set up truthful answers to challenge questions. If it asks for the name of your elementary school, select a different part of speech, something completely unrelated to the question. Again, password managers are your friend, making it easy to keep track of these things. And never reuse those answers either.

What a frightening world this is becoming.

[Bagels]

you should NEVER set up truthful answers to challenge questions.

Agree 100%
Although, I confess that in the past I forgot my own answers for TreasuryDirect.
Now that I have a password keeper, Bitwarden, it’s easier to keep track.

[Padlin]

Does everyone still keep paper records of account numbers, passwords, etc for an offline reference and proof of ownership? Or have we sailed past that point now in a paperless age? What do you do for your loved one's in case something happens?

I save a copy of the holding page for both my wife and my accounts, I just save them to the local drive and delete the old ones once in a while.

[Rocinante Rider]

you should NEVER set up truthful answers to challenge questions.

Agree 100%
Although, I confess that in the past I forgot my own answers for TreasuryDirect.
Now that I have a password keeper, Bitwarden, it’s easier to keep track.

Same here. I use my password manager to generate unique and random answers for each question in each account. I also pick security questions that don't apply to me merely as a personal prompt to look for the answer in my password manager.

[Doom&Gloom]

This may sound novice, but why can't Vanguard set up a notification by 2FA (text) that an attempt (successful or not if it is you) has been made to login to your account EVERY time? That way, you will know if a hacker has attempted a login and, if they use the wrong password multiple times, you will be alerted as to why there is a denial of access on your account IMMEDIATELY.

They can also add a location to the login attempt much like Google does.

My credit card sends me immediate emails that the card has been used and the amount and where it was used. This is a great way to prevent fraud from getting out of hand. Seems so easy.

Vanguard should alert you EVERY TIME there is access or attempted access to your account.

That is because the credit card bank wants you to help protect their money.

I admit being thoroughly confused as to what has actually happened to the posters having issues in this thread.

[stan1]

Security questions are out of favor with better 2FA technologies available, but since some sites still use them answers can be requested by a call center rep.

I don't want to be on the phone repeating a 20 character random string, so I use nonsensical English words.

For example: Favorite pizza = junction

Easy to pass to a human when required, but not something anyone is going to guess like pepperoni. Stored in Password Manager, but that just makes the risk of losing access to password manager have greater consequence.

[Bagels]

Agree 100%
Although, I confess that in the past I forgot my own answers for TreasuryDirect.
Now that I have a password keeper, Bitwarden, it’s easier to keep track.

Same here. I use my password manager to generate unique and random answers for each question in each account. I also pick security questions that don't apply to me merely as a personal prompt to look for the answer in my password manager.

Great username, by the way

[TheDogFather]

When I first had a Vanguard account my username was short and simple and I frequently got email notifications of attempted account access, presumably from someone who could not remember their username. I added a five digit number to my username and have never received a notification since about attempted access.

[GoldStar]

When I first had a Vanguard account my username was short and simple and I frequently got email notifications of attempted account access, presumably from someone who could not remember their username. I added a five digit number to my username and have never received a notification since about attempted access.

I was thinking of trying all the usernames in this boglehead thread on Vanguard's site to see if there was any reuse. I will skip yours if I do so.

[peppers]

I admit being thoroughly confused as to what has actually happened to the posters having issues in this thread.

Your're not the only one.

[otinkyad]

This may sound novice, but why can't Vanguard set up a notification by 2FA (text) that an attempt (successful or not if it is you) has been made to login to your account EVERY time? That way, you will know if a hacker has attempted a login and, if they use the wrong password multiple times, you will be alerted as to why there is a denial of access on your account IMMEDIATELY.

They can also add a location to the login attempt much like Google does.

My credit card sends me immediate emails that the card has been used and the amount and where it was used. This is a great way to prevent fraud from getting out of hand. Seems so easy.

Vanguard should alert you EVERY TIME there is access or attempted access to your account.

Every successful login, maybe, though I have a few sites that do that and it’s annoying. I doubt many sites lock your account for too many sign-in attempts; it would happen too often. Every attempt is not scalable. People think of cyber security like physical security and it’s not. There isn’t someone thinking about burgling your house once a decade. There are dozens of people crawling around your house trying to get in all the time. You would spend all your time clearing notifications.

[goodenyou]

My credit card sends me immediate emails that the card has been used and the amount and where it was used. This is a great way to prevent fraud from getting out of hand. Seems so easy.

Vanguard should alert you EVERY TIME there is access or attempted access to your account.

Every successful login, maybe, though I have a few sites that do that and it’s annoying. I doubt many sites lock your account for too many sign-in attempts; it would happen too often. Every attempt is not scalable. People think of cyber security like physical security and it’s not. There isn’t someone thinking about burgling your house once a decade. There are dozens of people crawling around your house trying to get in all the time. You would spend all your time clearing notifications.

If there is a denial of service where my account is locked out because I entered the wrong password multiple times, I will know it and accept it. If there is a denial of service and I DID NOT enter the wrong passwords, I sure want to know it immediately so that I am put on notice that there is/was an attempt.

I would like an IMMEDIATE text from Vanguard:

“Your account has been locked due to multiple attempts to login. Please call during business hours. Vanguard will never call you or contact you to correct this issue. Do not respond to any texts or emails as they may be fraudulent attempts to gain access to your account “.

That would help.

[Retiredgolfer]

Followup from Vanguard Fraud Department.
An ip address from Miami was used to access my Vanguard account. Not sure how the attackers were able to get access to my username and password and to receive the security code to gain access to my account. Vanguard has no idea how this happened. Once in my account a request was made in my profile area to change the email address. Vanguard prevented the email address to be changed.

Vanguard's Fraud Department was quick to identify what happen.

We changed our usernames and password.

[goodenyou]

Followup from Vanguard Fraud Department.
An ip address from Miami was used to access my Vanguard account. Not sure how the attackers were able to get access to my username and password and to receive the security code to gain access to my account. Vanguard has no idea how this happened. Once in my account a request was made in my profile area to change the email address. Vanguard prevented the email address to be changed.

Vanguard's Fraud Department was quick to identify what happen.

We changed our usernames and password.

Great! If you had received a text that an IP address from Miami was attempting a login, and if this was OK, don’t you think this could have been prevented?

Somehow Vanguard recognized that the IP address was not from a computer that had been previously registered, but somehow they still got through. Somehow 2FA authorization was circumvented or the fraudsters got a 2FA.

Maybe your login computer is infected? Keylogger?

[prd1982]

Once in my account a request was made in my profile area to change the email address. Vanguard prevented the email address to be changed..

How did VG prevent this change. Was it changed but then backed out because you called? Or was there some VG automated process that stopped the change?

[beyou]

Great thread-- I've changed my username as a result of this.

At Vanguard ? So you had them terminate your web access and re-establish ?
If so what other challenges did that present ?

I have authorized user access between mine and my spouse's accounts, I assume that would have to be setup again.
I have external portfolios entered, I would have to enter again.
I have portfolio watch groups, would have to define them again.
What about bank instructions, are they tied to the web login or your brokerage accts such that they appear with the new userid ?

Seems like changing username could be alot of work, and little benefit since they have the "forgot username" option on the site and it does not use 2FA security to protect your username.

I am going to sleep at night knowing I have a yubikey and google voice SMS (protected by yubikey too).

[scarcely]

Nope-- sorry for the confusion. My 403b is held elsewhere. I was able to change my username, but not on Vanguard.

[Gaston]

So attacker can easily reset a password but would then need to use a sim swap or social engineering to get the second factor.

Not to go too far off topic, but do SIM swap attacks apply only to physical SIM cards?

We haven't had physical SIM cards in our phones for a number of years now, and it's unclear to me whether some kind of SIM swap attack can be launched against e-SIMs?

[LadyGeek]

Not to go too far off topic, but do SIM swap attacks apply only to physical SIM cards?

We haven't had physical SIM cards in our phones for a number of years now, and it's unclear to me whether some kind of SIM swap attack can be launched against e-SIMs?

Yes. I suggest starting a thread in the personal consumer issues forum and ask your question there.

[Jman9500]

I recommend changing your email password, choose a robust one, and add 2fa to your email.
Email is a security risk because email is an easier means for an attacker to obtain a 2FA passcode. Think of it this way. Compared to a passcode being sent only to your phone, email provides a 2 FA back channel to any device ( not yours!) that can log into your email. A successful email login by an attacker is a means of password reset in the wrong hands.

Verify Vanguard’s policy about account compromise by an attacker. Do they guarantee fund restoration assuming you’ve taken the recommended security measures?

Also, you may be able to lock any account withdrawals without an additional security measure.

[fredd]

I added a pass phrase that I must repeat to a Vanguard rep when calling Vanguard. Turned off texts as 2 factor notification, and use Yubikeys.

[WeeWillyWinkie]

It's shocking to me that Schwab has a 24/7 live person I can call in such a situation but Vanguard doesn't.

[wadesh]

thanks so much for sharing your experience with us. While I no longer have my investments custodian at Vanguard, this was still useful information. My wife's username was her full name! yikes! we went in today and changed it to a random unassociated username. Did the same for my account as it had a part of my name in it.

While Im a fan of VG funds and still hold them at Fidelity, one of the reasons I switched away from Vanguard is their lack of 24/7 phone support. I've had to call Fidelity once at 10pm due to a login issue and was able to get through in just a few minutes. Not saying everyone should switch to Fidelity but I've not regretted my decision so far. FWIW I had both VG and Fidelity accounts for more than 25 years.

Thanks again for sharing your experience to benefit the larger community!

[wadesh]

Can anyone here describe the "forgot password" flow at Fidelity or another competitor for comparison?

The below post from 2022 went through some processes but it's not entirely clear if the poster was always describing the process to reset the password or recover a user ID. Based on the poster's description in the 2022 thread it seems like Vanguard would require access to the phone # for a verification code before resetting the password. However, the OP in this thread is seemingly saying that might not be true. It's hard to understand.

viewtopic.php?t=385253

I'll leave any further testing to someone else. I'm not going to risk angering the Schwab or Fidelity security gods by testing their password reset process unless I really need to.

For anyone reading that summary, which is quite good, an update on Fidelity as of last year is that they now support standard phone Authenticator apps (Google Authenticator etc). Don't have to use that Symantec vip anymore.

[Gaston]

I added a pass phrase that I must repeat to a Vanguard rep when calling Vanguard. Turned off texts as 2 factor notification, and use Yubikeys.

Does this part apply both to the Vanguard website and to the Vanguard mobile app?

I know that the mobile app used to be a weak point, in that you could bypass the Yubikey and still get a sign-on code via SMS. Has that loophole been closed?

[prd1982]

I know that the mobile app used to be a weak point, in that you could bypass the Yubikey and still get a sign-on code via SMS. Has that loophole been closed?

Assuming you have set up 2 Yubikeys and turned off SMS, you cannot use the mobile app. So yes, it is closed.

Added: tried this with Android version of the app only.

[Tom_T]

The below post from 2022 went through some processes but it's not entirely clear if the poster was always describing the process to reset the password or recover a user ID. Based on the poster's description in the 2022 thread it seems like Vanguard would require access to the phone # for a verification code before resetting the password. However, the OP in this thread is seemingly saying that might not be true. It's hard to understand.

viewtopic.php?t=385253

I'll leave any further testing to someone else. I'm not going to risk angering the Schwab or Fidelity security gods by testing their password reset process unless I really need to.

For anyone reading that summary, which is quite good, an update on Fidelity as of last year is that they now support standard phone Authenticator apps (Google Authenticator etc). Don't have to use that Symantec vip anymore.

I recently switched my Fidelity account to use the 2FAS authenticator app. No issues.

[rkhusky]

It's shocking to me that Schwab has a 24/7 live person I can call in such a situation but Vanguard doesn't.

Why? Nothing happens after hours that can’t be easily reversed during business hours.

[rkhusky]

I added a pass phrase that I must repeat to a Vanguard rep when calling Vanguard. Turned off texts as 2 factor notification, and use Yubikeys.

But if you forget your pass phrase and lose your Yubikeys, Vanguard will still give you access to your account. Might take a bit, but you’ll still get access back. And that’s true for all the other brokerages too.

[goodenyou]

Other than the invasion of privacy and creepiness of it all, what could someone who hacked into your account actually do?

I guess they could wreak havoc on your accounts by selling and creating a tax nightmare.

Wouldn't they have to set up a bank account to send your money to? That takes time and more layers.

ACH transfer to another bank?

I receive an immediate email and text for all transactions at Vanguard. Wouldn't that alert the victim?

[urban]

Other than the invasion of privacy and creepiness of it all, what could someone who hacked into your account actually do?

I guess they could wreak havoc on your accounts by selling and creating a tax nightmare.

Wouldn't they have to set up a bank account to send your money to? That takes time and more layers.

ACH transfer to another bank?

I receive an immediate email and text for all transactions at Vanguard. Wouldn't that alert the victim?

Wouldn't financial institutions disallow to create ACH link to an account with a different ownership?

[goodenyou]

Other than the invasion of privacy and creepiness of it all, what could someone who hacked into your account actually do?

I guess they could wreak havoc on your accounts by selling and creating a tax nightmare.

Wouldn't they have to set up a bank account to send your money to? That takes time and more layers.

ACH transfer to another bank?

I receive an immediate email and text for all transactions at Vanguard. Wouldn't that alert the victim?

Wouldn't financial institutions disallow to create ACH link to an account with a different ownership?

I would think so

[Bagels]

I added a pass phrase that I must repeat to a Vanguard rep when calling Vanguard. Turned off texts as 2 factor notification, and use Yubikeys.

That is brilliant. I didn’t know that a pass phrase was an option there.

[Gaston]

I know that the mobile app used to be a weak point, in that you could bypass the Yubikey and still get a sign-on code via SMS. Has that loophole been closed?

Assuming you have set up 2 Yubikeys and turned off SMS, you cannot use the mobile app. So yes, it is closed.

Added: tried this with Android version of the app only.

Thank you. Anyone tried this on iOS?

[Helium]

I don't know if this will help assuage any concerns, but the last time I tried adding a new bank account, it took over 10 days for it to be available for use or something like that.

Not sure if there's another way they can instantly transfer out money even if they were to access your account.

[KiwiBobs]

I use Proton Pass for my passwords which is integrated with SimpleLogin for email aliases. For my accounts:

Username: Longest allowable random words, digits, special characters if allowed.

Password: Longest allowable random characters.

2FA in order of preference: Auth app, Email, SMS to Google Voice (which no one knows and is in a different area code to where I live)

Different Email alias for each account, randomly generated by Proton but I change the prefix to something else e.g. for Fidelity it won't start with "fidelity.".
Email aliases forward to a completely separate account from daily use. No one knows the address. Has 2FA. Address has nothing to do with my real identity.

[RonSwanson]

For those of you who are using YubiKey and have removed SMS as a 2FA source, does anybody know if Vanguard has closed the mobile app loophole?

Last time I looked (maybe a year ago?) if you didn't have a phone number connected to your account for 2FA, you could:

1) Install mobile app
2) Enter valid username/password
3) It *asks* you which phone number you want to register for 2FA, and then sends the code to that number!

Because of this, one needs to keep a phone number registered for 2FA, unless they have fixed this.

[beyou]

For those of you who are using YubiKey and have removed SMS as a 2FA source, does anybody know if Vanguard has closed the mobile app loophole?

Last time I looked (maybe a year ago?) if you didn't have a phone number connected to your account for 2FA, you could:

1) Install mobile app
2) Enter valid username/password
3) It *asks* you which phone number you want to register for 2FA, and then sends the code to that number!

Because of this, one needs to keep a phone number registered for 2FA, unless they have fixed this.

I kept SMS using Google Voice as my backup, not because of the mobile app (though necessary and working fine), but because I didn't want to rely on any one 2fa auth method if I can find 2 that are both secure. There have been times when various sites I have used were unable to text out a code for a period of time. On the smaller number of sites that use Yubikey, I have still encountered live incidences where the yubikey services on were down for a while. Any service can go down at a site, and as long as both dont go down at the same time, I will have access. Now if there was only one "safe and secure" option, then I'd have to consider whether it's more a concern of locking myself out or of the weakest link is weak enough to allow an exploit. Hopefully the industry will figure out how to make SMS more secure in general and also most sites will offer more good options.

For one email acct I have TOTP, alternate email, google voice.
For another i have TOTP and Yubikey.

If you use google voice as an alternate for Vanguard site & app, be sure to lock down your google account.
They can accept Yubikey as well.

[prd1982]

For those of you who are using YubiKey and have removed SMS as a 2FA source, does anybody know if Vanguard has closed the mobile app loophole?

Last time I looked (maybe a year ago?) if you didn't have a phone number connected to your account for 2FA, you could:

1) Install mobile app
2) Enter valid username/password
3) It *asks* you which phone number you want to register for 2FA, and then sends the code to that number!

Because of this, one needs to keep a phone number registered for 2FA, unless they have fixed this.

Yes, it is fixed for the mobile app. I tried both Android and IOS. You cannot log on if you only have Yubikeys.

[Al Dente]

So much good information in this thread. Too much actually. I know there are a lot of different ways to secure your online profiles and a lot of different levels of what is 'secure' but can someone point me to a good tutorial that will take me step by step?

[seanbaby]

For those wanting to change the username at Vanguard, it was a 10 min hold to get the customer rep + about 2-3 mins to change the username - pretty seamless.

[beyou]

For those wanting to change the username at Vanguard, it was a 10 min hold to get the customer rep + about 2-3 mins to change the username - pretty seamless.

But what happens next ? Others wrote you had to re-establish online access.
I have many things setup and connected to my Vanguard login, such as granting access to/from spouse, outside holdings, custom portfolio groups in portfolio watch. I think al that would vanish and have to setup again, after that short phone call.

Also I don't see value in changing the userid, but this has been debated to death already.
I am more concerned about the harm/time to re-configure what I had, so for me this is high cost for low reward IMO.
If you don't use some features at Vanguard the cost of your time is lower, but I still question how it helps to change username if thieves can go online and click "forgot my username" with insufficient security challenges.

[beyou]

For those of you who are using YubiKey and have removed SMS as a 2FA source, does anybody know if Vanguard has closed the mobile app loophole?

Last time I looked (maybe a year ago?) if you didn't have a phone number connected to your account for 2FA, you could:

1) Install mobile app
2) Enter valid username/password
3) It *asks* you which phone number you want to register for 2FA, and then sends the code to that number!

Because of this, one needs to keep a phone number registered for 2FA, unless they have fixed this.

Yes, it is fixed for the mobile app. I tried both Android and IOS. You cannot log on if you only have Yubikeys.

Can you have 2 Yubikeys + an SMS
I use google voice as my backup to Yubikey and this is how I would have to login to the ios app if ever my biometric login was not working, such as on a new device. I find google voice to be of sufficient security, and secure it using Yubikey.

The only reason I am getting a 2nd Yubikey is my apple account requires 2 yubikeys or none, they will not let you use just 1 and another form of 2FA as a backup. Nice that Vanguard allows 2, but requiring 2 is a bit excessive IMO. Still I am buying a 2nd one, and considering if I should add it to Vanguard. I do use the mobile app and do not want to lose access to it.

[rkhusky]

The only reason I am getting a 2nd Yubikey is my apple account requires 2 yubikeys or none, they will not let you use just 1 and another form of 2FA as a backup. Nice that Vanguard allows 2, but requiring 2 is a bit excessive IMO. Still I am buying a 2nd one, and considering if I should add it to Vanguard. I do use the mobile app and do not want to lose access to it.

Apple says that they don’t have a backdoor into their systems. Perhaps if you were to lose your single Yubikey, you would lose all your data.

[beyou]

The only reason I am getting a 2nd Yubikey is my apple account requires 2 yubikeys or none, they will not let you use just 1 and another form of 2FA as a backup. Nice that Vanguard allows 2, but requiring 2 is a bit excessive IMO. Still I am buying a 2nd one, and considering if I should add it to Vanguard. I do use the mobile app and do not want to lose access to it.

Apple says that they don’t have a backdoor into their systems. Perhaps if you were to lose your single Yubikey, you would lose all your data.

Yes but they like Vanguard could allow multiple forms of 2FA as backup.
I have a microsoft account and they allow software authenticator, SMS (to google voice), email (I send to proton).
If any of these 3 fail, I can use either of the others and I consider all 3 fairly secure.
I have no plans to add a 2nd Yubikey to vanguard if they take away my google voice backup.
I have already seen times when Yubikey was down at Vanguard and I was able to login only with SMS.
As long as you secure your SMS, nothing wrong with using it. Google voice is good for that, and I suspect eventually carrier SMS will improve security.
Best would be if Vanguard (and others) allowed software authentication AND yubikey for redundancy.
2nd Yubikey sovlves one redundancy problem (lost key) but not the other (down service which happened to me already).

[rkhusky]

Apple says that they don’t have a backdoor into their systems. Perhaps if you were to lose your single Yubikey, you would lose all your data.

Yes but they like Vanguard could allow multiple forms of 2FA as backup.
I have a microsoft account and they allow software authenticator, SMS (to google voice), email (I send to proton).
If any of these 3 fail, I can use either of the others and I consider all 3 fairly secure.
I have no plans to add a 2nd Yubikey to vanguard if they take away my google voice backup.
I have already seen times when Yubikey was down at Vanguard and I was able to login only with SMS.
As long as you secure your SMS, nothing wrong with using it. Google voice is good for that, and I suspect eventually carrier SMS will improve security.
Best would be if Vanguard (and others) allowed software authentication AND yubikey for redundancy.
2nd Yubikey sovlves one redundancy problem (lost key) but not the other (down service which happened to me already).

I was thinking that perhaps Apple uses the Yubikey for encryption, which is different from authentication, but I don’t really know.

[unwitting_gulag]

No system is perfectly secure, and certainly, no system is simultaneously well-secured and easy/painless for the authorized user to access. That said, it is most dismaying to realize that if one discovers a problem at 9 pm, it is necessary to wait for the following morning to contact Vanguard to alert them... and then, to spend 45 minutes on hold. Low fees are fine and dandy, but folks, we're talking about a lifetime of achievement here... a lifetime of earning, scrimping, saving and investing! What's the point of low fees, if one might find oneself subject to such stress?

[Doom&Gloom]

No system is perfectly secure, and certainly, no system is simultaneously well-secured and easy/painless for the authorized user to access. That said, it is most dismaying to realize that if one discovers a problem at 9 pm, it is necessary to wait for the following morning to contact Vanguard to alert them... and then, to spend 45 minutes on hold. Low fees are fine and dandy, but folks, we're talking about a lifetime of achievement here... a lifetime of earning, scrimping, saving and investing! What's the point of low fees, if one might find oneself subject to such stress?

I agree with you about the personal anxiety and distress, but ...

Realistically, what of substance do you think would be accomplished prior to 8am on Monday by Vanguard if you contacted them at 9pm on Friday?
Perhaps I'm too cynical.

[PersonalFinanceJam]

Apple says that they don’t have a backdoor into their systems. Perhaps if you were to lose your single Yubikey, you would lose all your data.

Yes but they like Vanguard could allow multiple forms of 2FA as backup.
I have a microsoft account and they allow software authenticator, SMS (to google voice), email (I send to proton).
If any of these 3 fail, I can use either of the others and I consider all 3 fairly secure.
I have no plans to add a 2nd Yubikey to vanguard if they take away my google voice backup.
I have already seen times when Yubikey was down at Vanguard and I was able to login only with SMS.
As long as you secure your SMS, nothing wrong with using it. Google voice is good for that, and I suspect eventually carrier SMS will improve security.
Best would be if Vanguard (and others) allowed software authentication AND yubikey for redundancy.
2nd Yubikey sovlves one redundancy problem (lost key) but not the other (down service which happened to me already).

FWIW I think Apple's implementation is correct and I wish more financial sites implemented such measures. Unfortunately, phishing is the #1 attack vector and anything which involves entering a code or clicking a prompt in an app is susceptible to phishing. Security keys, be they hardware or software, are not susceptible to this and many other forms of credential attacks. While it may be nice to have a "backup" it could be very hard to discern if a site is having a problem validating keys or you have been directed to a phishing site which is now stealing your credentials. Especially if an attacker has been successful instilling panic in you the victim.

You can also get by with the cheaper FIDO only keys to save a few bucks.