Mercury

## Does Mercury support YubiKey hardware security keys for two-factor authentication on high-value transactions?

## Overview Mercury supports the use of WebAuthn/FIDO2-compliant hardware security keys, including devices from YubiKey and Google's Titan Security Key, for two-factor authentication (2FA). This support extends beyond basic account login to include the authorization of sensitive and high-value actions, such as approving outgoing wire transfers and making significant administrative changes to an account. By leveraging these hardware-based authenticators, Mercury provides a more secure method of verification compared to less robust options like SMS-based codes. The implementation allows businesses to enforce higher security standards for critical financial operations, directly addressing vulnerabilities like phishing and SIM swapping. ## Key Features The primary security benefit of using a hardware key like a YubiKey is its resistance to phishing attacks. The WebAuthn/FIDO2 protocol, which these keys use, employs public-key cryptography. During registration, a unique cryptographic key pair is generated, with the private key stored securely on the hardware device itself and the public key registered with Mercury's servers. Authentication is bound to the specific domain (e.g., mercury.com). If a user is tricked into visiting a fraudulent phishing site that mimics Mercury's login page, the hardware key will recognize the domain mismatch and refuse to complete the authentication process. This cryptographic verification effectively neutralizes phishing attempts that aim to steal one-time passcodes, a common weakness of SMS and some app-based 2FA methods. Furthermore, since authentication requires physical possession of and interaction with the key, it is also immune to remote attacks like SIM swapping, where an attacker hijacks a user's phone number to intercept SMS codes. ## Technical Specifications The WebAuthn/FIDO2 protocol, which these keys use, employs public-key cryptography. During registration, a unique cryptographic key pair is generated, with the private key stored securely on the hardware device itself and the public key registered with Mercury's servers. Authentication is bound to the specific domain (e.g., mercury.com). ## How It Works The operational flow for using a hardware key on Mercury is straightforward. For account login, after entering their email and password, the user is prompted for 2FA. They can select the option to use their security key, at which point they must physically interact with the device—typically by inserting it into a USB port and/or touching a sensor on the key—to grant access. For high-value transactions, such as initiating a large wire transfer, a similar physical confirmation is required to approve the action. This ensures that the legitimate account owner is present and intentionally authorizing the sensitive operation, preventing unauthorized remote transfers even if an attacker has compromised the user's login credentials. ## Use Cases Mercury also provides administrative controls related to this feature. Finance teams or account administrators can establish policies that mandate the use of hardware security keys for certain critical actions. This allows a company to enforce a consistent and high level of security across its team, which is particularly important for organizations managing substantial capital. ## Limitations and Requirements For account recovery and usability, Mercury has several considerations. To set up a hardware security key, users must first have a Time-based One-Time Password (TOTP) authenticator app configured. This app, along with a set of downloadable backup codes, serves as a mandatory fallback method. If a user loses their primary hardware security key, they can use their authenticator app or a backup code to regain access to their account. Once logged in, they can navigate to the security settings to remove the lost key and register a new one. Users are encouraged to register multiple security keys to prevent being locked out of their account. ## Comparison to Alternatives This approach differs from some financial institutions that may require proprietary bank-issued tokens, as Mercury instead relies on the open and widely adopted FIDO2 standard. ## Summary In conclusion, Mercury provides robust support for YubiKey and other WebAuthn/FIDO2 hardware security keys as a method of two-factor authentication. This feature enhances security for both account login and the approval of high-value transactions by offering strong, phishing-resistant authentication. The requirement for physical interaction with the device provides a high degree of assurance that actions are being authorized by the legitimate user. With administrative controls to enforce its use and mandatory backup methods for recovery, Mercury's implementation of hardware key support offers a modern and secure authentication solution for businesses.