Vanguard: Upgrading Yubikeys

[jamesthebaker]

When I logged in to Vanguard today, I received the message that I had until September 20 to upgrade my Yubikeys.

I was successful in upgrading all 3 of my Yubikeys on my account, no issues. I use the same 3 keys for my wife's account, and when I attempt to upgrade her account I keep getting the message that "we are experiencing technical difficulties, please try again or contact Vanguard."

Does anybody know why I was successful in upgrading one account but not the second account? Any ideas? I hate to contact Vanguard as I've usually had poor experiences with that.

Thanks

[RadAudit]

I received the message that I had until September 20 to upgrade my Yubikeys.

What's a Yubikey?

[jamesthebaker]

A Yubikey is a physical key that you plug into your computer for secure, 2-factor authentication of your account.

[afan]

It worked for me, but perhaps it was a browser issue?

Did you use the same computer and browser for both accounts? Did you do the standard of clearing cookies?

[PizzaEater]

I'm experiencing the same issue on my account (" ... technical difficulties ..."). I tried with 2 different browsers.

[itaos]

Same issue. Called them, they removed the key and tried again still no luck. tried firefox and edge. They started a ticket fwiw

[anon_investor]

We had no issues updating all 4 Yubikeys on mine and my spouse's Vanguard accounts. We used the same browser/computer (Chrome/Windows).

[jamesthebaker]

Yes, using the same computer, windows 11. Have tried latest versions of both Chrome and Firefox. I guess I could try Edge. We'll see.

[Fremdon Ferndock]

I guess I just did this with a Mac running Chrome. Only I deleted my Yubi and then re-registered it from scratch. I presume this worked since I've not seen anything to the contrary. Now I have to enter the PIN for the Yubi each time I log on. I didn't have to do that before. Is that a feature of Fido2? If so, I don't like it. Don't see the point either, because you can just opt for a text code to log in, so if somebody doesn't know the Yubi PIN that is no deterrent.

[Diluted Waters]

I guess I just did this with a Mac running Chrome. Only I deleted my Yubi and then re-registered it from scratch. I presume this worked since I've not seen anything to the contrary. Now I have to enter the PIN for the Yubi each time I log on. I didn't have to do that before. Is that a feature of Fido2? If so, I don't like it. Don't see the point either, because you can just opt for a text code to log in, so if somebody doesn't know the Yubi PIN that is no deterrent.

I reregistered my Yubikey 5 NFCs from the link associated with the sign-on notice, but am puzzled by some reporting the need to now enter a PIN when signing on. I don't have to do that and I was not asked to supply a PIN when I re-registered. Any ideas why it's working differently for my keys than others?

-DW

[wander]

I too don't see the point of Vanguard asking upgrading Yubikeys by re-registering the same key I have used. It's wasting everyone's time.

[Fremdon Ferndock]

I guess I just did this with a Mac running Chrome. Only I deleted my Yubi and then re-registered it from scratch. I presume this worked since I've not seen anything to the contrary. Now I have to enter the PIN for the Yubi each time I log on. I didn't have to do that before. Is that a feature of Fido2? If so, I don't like it. Don't see the point either, because you can just opt for a text code to log in, so if somebody doesn't know the Yubi PIN that is no deterrent.

I reregistered my Yubikey 5 NFCs from the link associated with the sign-on notice, but am puzzled by some reporting the need to now enter a PIN when signing on. I don't have to do that and I was not asked to supply a PIN when I re-registered. Any ideas why it's working differently for my keys than others?

-DW

Yeh, I'd like to know that. Vanguard doesn't provide any information and this is an obscure subject. Really annoying. The PIN I have to enter is the Yubi Pin. I use the Yubi on other websites and don't have to enter a PIN. I guess this is somehow related to Fido2 but I forgot to take that course in grad school. Ahhhhhhhhhhhh!!!!!!!!!!!!!

[tlveik]

I too don't see the point of Vanguard asking upgrading Yubikeys by re-registering the same key I have used. It's wasting everyone's time.

Re-registering the key and adding a pin increases security. The new pin prevents anyone from finding your lost key (or stealing it) and then using it to get into your account. They can't get in because they don't know your pin. Granted, they also need your username and password, but the added pin does increase security. It effectively adds two-factor to the key itself.

[PizzaEater]

I too don't see the point of Vanguard asking upgrading Yubikeys by re-registering the same key I have used. It's wasting everyone's time.

Re-registering the key and adding a pin increases security. The new pin prevents anyone from finding your lost key (or stealing it) and then using it to get into your account. They can't get in because they don't know your pin. Granted, they also need your username and password, but the added pin does increase security. It effectively adds two-factor to the key itself.

That's not secure enough! We need two-factor authentication for the 2nd-factor of our two-factor authentication (i.e. Yubikey)!

[Fremdon Ferndock]

I too don't see the point of Vanguard asking upgrading Yubikeys by re-registering the same key I have used. It's wasting everyone's time.

Re-registering the key and adding a pin increases security. The new pin prevents anyone from finding your lost key (or stealing it) and then using it to get into your account. They can't get in because they don't know your pin. Granted, they also need your username and password, but the added pin does increase security. It effectively adds two-factor to the key itself.

Well, not at Vanguard since they can bypass the key altogether if they have my cellphone or can otherwise intercept the text code. I'm more worried about that than someone snatching my Yubikey.

[wander]

I too don't see the point of Vanguard asking upgrading Yubikeys by re-registering the same key I have used. It's wasting everyone's time.

Re-registering the key and adding a pin increases security. The new pin prevents anyone from finding your lost key (or stealing it) and then using it to get into your account. They can't get in because they don't know your pin. Granted, they also need your username and password, but the added pin does increase security. It effectively adds two-factor to the key itself.

It does not ask for any PIN. It simply just re-registers my old key. I still have to type my password anyway. Basically, I don't see any added security implementation.

[Fremdon Ferndock]

Maybe I'll try de-registering the keys and re-registering to see if I still have to enter the Yubi PIN every time. Not that big a deal, it just seems unnecessary to me. I started using the Yubi at Vanguard in the first place so I wouldn't have to type 2FA codes in, not because I thought it was more secure, because they let you bypass it. Now I'm back typing in codes.

[wmvink]

I tried Chrome and Edge and both failed.

With the Yubikey, I basically get into a loop where it takes me back to the "Name your key" page after walking through the Windows-based set up. It's an endless loop.

With the Android phone option, Google Authenticator says "Cannot interpret QR code".

I figured I post this here and see if others have had same issues before I reach out to Vanguard.

[Fremdon Ferndock]

I tried Chrome and Edge and both failed.

With the Yubikey, I basically get into a loop where it takes me back to the "Name your key" page after walking through the Windows-based set up. It's an endless loop.

With the Android phone option, Google Authenticator says "Cannot interpret QR code".

I figured I post this here and see if others have had same issues before I reach out to Vanguard.

I would try de-registering your key and re-registering it before you get into another endless look trying to reach out to Vanguard. Be sure that you can still log in using 2FA with code sent to your phone before de-registering your key

[changingtimes]

I think I'll wait until closer to the Sept. 20 deadline, and let you guys work out all of the kinks.

[Fremdon Ferndock]

Well, I found out something. Apparently, the Yubi asking for a PIN is related to the browser being used. I googled some info from Yubico and it seemed to say that the site you are logging into can require this, but if it isn't requested then the browser might default to requiring it. I've been using Chrome on my Mac and being required to enter the Yubi PIN. But when I switched to Firefox, the PIN was not requested. So apparently, that's a browser thing with FIDO2 on Vanguard. BTW, I first tried Safari and turns out that browser doesn't support the use of security keys at all.

[Tarheelstrummer]

I guess I just did this with a Mac running Chrome. Only I deleted my Yubi and then re-registered it from scratch. I presume this worked since I've not seen anything to the contrary. Now I have to enter the PIN for the Yubi each time I log on. I didn't have to do that before. Is that a feature of Fido2? If so, I don't like it. Don't see the point either, because you can just opt for a text code to log in, so if somebody doesn't know the Yubi PIN that is no deterrent.

You can also opt out of the ability to use an SMS code as a backup by going into your Vanguard security settings. I have done so because allowing a text code defeats the purpose of using a security key in two-factor authentication. Vanguard apparently will allow you to opt out of SMS code backup only if you have two security keys (a primary and backup) registered.

Like some (but apparently not all) of the other commenters who have re-authorized their Yubikeys under the new Vanguard system, I am now required to enter a pin before I touch the key.

[MrJedi]

The PIN is an extra feature of FIDO2/Webauthn. It's up to the website to decide if a PIN or a touch is required or not. Those aren't inherently required by FIDO2, just extra options.

[MrJedi]

I guess I just did this with a Mac running Chrome. Only I deleted my Yubi and then re-registered it from scratch. I presume this worked since I've not seen anything to the contrary. Now I have to enter the PIN for the Yubi each time I log on. I didn't have to do that before. Is that a feature of Fido2? If so, I don't like it. Don't see the point either, because you can just opt for a text code to log in, so if somebody doesn't know the Yubi PIN that is no deterrent.

I reregistered my Yubikey 5 NFCs from the link associated with the sign-on notice, but am puzzled by some reporting the need to now enter a PIN when signing on. I don't have to do that and I was not asked to supply a PIN when I re-registered. Any ideas why it's working differently for my keys than others?

-DW

Did you ever set a PIN on your Yubikey with the manager?

[RubyTuesday]

Seems like I recall having a similar error when I tried to name my key using spaces in the middle of the name (e.g. “Yubi 5ci-1”). Did you have any white space in your key name?

[MrJedi]

Well, I found out something. Apparently, the Yubi asking for a PIN is related to the browser being used. I googled some info from Yubico and it seemed to say that the site you are logging into can require this, but if it isn't requested then the browser might default to requiring it. I've been using Chrome on my Mac and being required to enter the Yubi PIN. But when I switched to Firefox, the PIN was not requested. So apparently, that's a browser thing with FIDO2 on Vanguard. BTW, I first tried Safari and turns out that browser doesn't support the use of security keys at all.

I have to use PIN with my Firefox.

Personally, I'm inclined to think Vanguard's implementation is messed up and buggy.

[Fremdon Ferndock]

Well, I found out something. Apparently, the Yubi asking for a PIN is related to the browser being used. I googled some info from Yubico and it seemed to say that the site you are logging into can require this, but if it isn't requested then the browser might default to requiring it. I've been using Chrome on my Mac and being required to enter the Yubi PIN. But when I switched to Firefox, the PIN was not requested. So apparently, that's a browser thing with FIDO2 on Vanguard. BTW, I first tried Safari and turns out that browser doesn't support the use of security keys at all.

I have to use PIN with my Firefox.

Personally, I'm inclined to think Vanguard's implementation is messed up and buggy.

Yeh. This is just weird. Are you using a Mac? Maybe something is different with Firefox and Chrome for Mac.

[Freefun]

did you try clearing your cookies etc.?

[MrJedi]

Well, I found out something. Apparently, the Yubi asking for a PIN is related to the browser being used. I googled some info from Yubico and it seemed to say that the site you are logging into can require this, but if it isn't requested then the browser might default to requiring it. I've been using Chrome on my Mac and being required to enter the Yubi PIN. But when I switched to Firefox, the PIN was not requested. So apparently, that's a browser thing with FIDO2 on Vanguard. BTW, I first tried Safari and turns out that browser doesn't support the use of security keys at all.

I have to use PIN with my Firefox.

Personally, I'm inclined to think Vanguard's implementation is messed up and buggy.

Yeh. This is just weird. Are you using a Mac? Maybe something is different with Firefox and Chrome for Mac.

Windows 10 for me.

[Tubes]

Following the link to re-register also lead me to "technical difficulties."

Thanks to the discussion above, I successfully did the job by deleting, then registering.

Thank you.

[Fremdon Ferndock]

By this point I"m so sick and tired of Yubikey that I'm considering a garbage receptacle and going back to SMS codes. It falls into the "if you don't understand it, then don't invest in it" advice.

[Tubes]

By this point I"m so sick and tired of Yubikey that I'm considering a garbage receptacle and going back to SMS codes. It falls into the "if you don't understand it, then don't invest in it" advice.

Your garbage receptacle has a USB port for a security key?

[MrJedi]

By this point I"m so sick and tired of Yubikey that I'm considering a garbage receptacle and going back to SMS codes. It falls into the "if you don't understand it, then don't invest in it" advice.

I'm not super fond of Vanguard's implementation, as it seems pretty half baked.

However I do very much like having it for things like my Google and Microsoft accounts. There is a lot of sensitive data, email/password reset type stuff there so I feel a lot better with those accounts locked down tightly.

Financial accounts like Vanguard, bank accounts, etc. are so heavily regulated and tracked, it's hard to see some fraudulent activity being more than an annoyance to untangle vs. some real permanent damage from having personal data, emails, etc. wrangled out of a Google account, Microsoft account, etc.

[anon_investor]

By this point I"m so sick and tired of Yubikey that I'm considering a garbage receptacle and going back to SMS codes. It falls into the "if you don't understand it, then don't invest in it" advice.

Your garbage receptacle has a USB port for a security key?

Does a Yubikey secured garbage keep out dumpster divers and wild animals out equally as well?

[hudson]

The PIN is an extra feature of FIDO2/Webauthn. It's up to the website to decide if a PIN or a touch is required or not. Those aren't inherently required by FIDO2, just extra options.

I recently updated my 3 Yubikeys…maybe this morning?

#! The Yubikey already had a pin; I don't know what website had me enter a pin. I did have a record of the pin, so I was good. Success.

#2 Vanguard didn't ask for a pin and didn't ask me to add a pin: Success without a pin

# 3 Vanguard asked me to add a pin and enter it twice. I recorded my new pin. Success

Bottom line: Two with pins and one without...no problems.

[Fremdon Ferndock]

Before the "upgrade" on Vanguard, my logon process was to use my password manager to autofill my ID and Password, then touch the Yubi, and success.

Now it's (1) use password manager to autofill, (2) touch Yubi, (3) key in Yubi password, (4) touch Yubi again. This is quite an improvement! I"m looking forward to the next "upgrade" which might add a couple more steps to the process.

[gavinsiu]

Before the "upgrade" on Vanguard, my logon process was to use my password manager to autofill my ID and Password, then touch the Yubi, and success.

Now it's (1) use password manager to autofill, (2) touch Yubi, (3) key in Yubi password, (4) touch Yubi again. This is quite an improvement! I"m looking forward to the next "upgrade" which might add a couple more steps to the process.

I think the PIN for FIDO2 is actually optional. The pin is required if you attempt to use the Yubikey for passwordless login. The idea is that your PIN is like a second factor. If someone steals your key, they can't login because they need the pin. When you use Yubikey as a 2FA, it's not necessary because they would need to know the user name and password if they found your key. There is a limited number of times you can enter the wrong pin before the Yubikey reset and do a factory reset. If that happens, the key is no longer register to your account. I know I managed to do this.

If the pin is too much of a problem, Yubikey and I think Feitan sells a version with a fingerprint reader. Instead of typing in a pin, you could touch the fingerprint sensor on the hardware key.

Frankly, I think Vanguard once again they concentrated on the wrong thing. Yubikey is not secure enough! Let's add a pin, but they won't fix the vulnerability with SMS recovery.

[boglesmind]

A while ago: YubiKey registered with Vanguard previously. I *had* used the YubiKey manager app on Windows 10 to set up a PIN for FIDO2 protocol (don't remember why I did it --- it was so long ago --- I believe it was required by YubiKey app when I first configured the yubikey (usb c) using the app). Had saved the FIDO2 PIN in a password manager.

Now: Logged into Vanguard with Yubikey as usual ( NO PIN required, just touching the key is enough) and was prompted to upgrade/reregister the key. Went thru the steps (without deleting the key first) and was successful in doing so. NO PIN was requested by Vanguard. I saw an interesting note in this process which said that I could use some android phones as 2FA.

Intrigued, I logged into Vanguard using YubiKey first and then removed the key physically from the USB slot. Then started to ADD a security key to Vanguard using Chrome/Brave/Firefox on Windows10. Where Vanguard site says insert the security key, hit cancel and then 2 options appear - one of them allows one to use an Android phone as your security key. Some Google Pixel phones have built-in Titan security chip made by Google and it can do the FIDO2 authentication. When I select this option, Vanguard shows a QR code and in small print below it says "use your camera app or QR code reader". NOTE: it does NOT say use Google Authenticator app since it cannot be used. So, I use the camera app on my phone to scan the QR code and sure enough a FIDO2: url appears below the image in the camera app itself. Touch it and the phone now shows "Enter PIN" and Vanguard wants to authenticate you. Most frustrating part is trying ALL FIDO2 pins I have ever set and nothing worked. Cancelled the process and retried over two days multiple times leading to more frustration. Today, I thought about this more: Since I have NOT set up a PIN with Vanguard, the PIN request is NOT coming from Vanguard. Vanguard is simple trying to ensure you are using the phone and not some one else, how do you prove you are using the phone? Tried screen lock PIN at this stage and SUCCESS! The process went thru and my phone was added as a second security key. So it was the FIDO2 url trying to ensure it was I who was using the phone and asking for screen lock PIN without saying so!

Boglesmind

[boglesmind]

I guess I just did this with a Mac running Chrome. Only I deleted my Yubi and then re-registered it from scratch. I presume this worked since I've not seen anything to the contrary. Now I have to enter the PIN for the Yubi each time I log on. I didn't have to do that before. Is that a feature of Fido2? If so, I don't like it. Don't see the point either, because you can just opt for a text code to log in, so if somebody doesn't know the Yubi PIN that is no deterrent.

We use Windows 10 Chrome/Brave/Firefox browser. Vanguard didn't ask for a PIN after re-registering and using Yubikey (usb-c version).

Boglesmind

[boglesmind]

I tried Chrome and Edge and both failed.

With the Yubikey, I basically get into a loop where it takes me back to the "Name your key" page after walking through the Windows-based set up. It's an endless loop.

With the Android phone option, Google Authenticator says "Cannot interpret QR code".

I figured I post this here and see if others have had same issues before I reach out to Vanguard.

Use Google camera app to scan the QR code which will show you FIDO2 url that touch or click. Authenticator app does more than scan QR code.

Boglesmind

[boglesmind]

I guess I just did this with a Mac running Chrome. Only I deleted my Yubi and then re-registered it from scratch. I presume this worked since I've not seen anything to the contrary. Now I have to enter the PIN for the Yubi each time I log on. I didn't have to do that before. Is that a feature of Fido2? If so, I don't like it. Don't see the point either, because you can just opt for a text code to log in, so if somebody doesn't know the Yubi PIN that is no deterrent.

I reregistered my Yubikey 5 NFCs from the link associated with the sign-on notice, but am puzzled by some reporting the need to now enter a PIN when signing on. I don't have to do that and I was not asked to supply a PIN when I re-registered. Any ideas why it's working differently for my keys than others?

-DW

Did you ever set a PIN on your Yubikey with the manager?

Good question. Am not DW but I too HAD set a PIN for the YubiKey long ago using yubikey manager app when I first got the YubiKey.

[boglesmind]

I guess I just did this with a Mac running Chrome. Only I deleted my Yubi and then re-registered it from scratch. I presume this worked since I've not seen anything to the contrary. Now I have to enter the PIN for the Yubi each time I log on. I didn't have to do that before. Is that a feature of Fido2? If so, I don't like it. Don't see the point either, because you can just opt for a text code to log in, so if somebody doesn't know the Yubi PIN that is no deterrent.

I reregistered my Yubikey 5 NFCs from the link associated with the sign-on notice, but am puzzled by some reporting the need to now enter a PIN when signing on. I don't have to do that and I was not asked to supply a PIN when I re-registered. Any ideas why it's working differently for my keys than others?

-DW

Did you ever set a PIN on your Yubikey with the manager?

Good question. Am not DW but I too HAD set a PIN for the YubiKey long ago using yubikey manager app when I first got the YubiKey.

[boglesmind]

I guess I just did this with a Mac running Chrome. Only I deleted my Yubi and then re-registered it from scratch. I presume this worked since I've not seen anything to the contrary. Now I have to enter the PIN for the Yubi each time I log on. I didn't have to do that before. Is that a feature of Fido2? If so, I don't like it. Don't see the point either, because you can just opt for a text code to log in, so if somebody doesn't know the Yubi PIN that is no deterrent.

I reregistered my Yubikey 5 NFCs from the link associated with the sign-on notice, but am puzzled by some reporting the need to now enter a PIN when signing on. I don't have to do that and I was not asked to supply a PIN when I re-registered. Any ideas why it's working differently for my keys than others?

-DW

Yeh, I'd like to know that. Vanguard doesn't provide any information and this is an obscure subject. Really annoying. The PIN I have to enter is the Yubi Pin. I use the Yubi on other websites and don't have to enter a PIN. I guess this is somehow related to Fido2 but I forgot to take that course in grad school. Ahhhhhhhhhhhh!!!!!!!!!!!!!

There is a reddit thread on Yubikey, FIDO2 protocol etc.
Reddit thread
YubiCO FAQ
FIDO2 Multi-factor authentication

Boglesmind

[n00b]

I found, after updating my Yubikeys on the Vanguard site, that DW got an error trying to update hers in the same browser (Chrome on Mac). She was able to get in and update her Yubikeys by using a different browser, perhaps in incognito mode -- I don't recall. The second browser was probably Opera on Mac.

[Grasshopper]

Thanks, yes incognito mode allowed me to register my 3 keys.

[PizzaEater]

I was finally able to re-register my 2 Yubikeys using the de-register and register trick. But it was a multi-day process:

Wife's account: We were able to re-register the 2 Yubikeys no problem (without de-registering first). SMS is still disabled in account settings (though when logging in to her account there is a link that we could presumable use to send an SMS code if the Yubikey is unavailable - we haven't tried it).

My account: Yesterday, in order to de-register 1 of the 2 Yubikeys I re-enabled SMS authentication. Then I de-registered 1 Yubikey and then registered it. Then I went to de-register the 2nd Yubikey, and oops, now I can't access the "old" Yubikey interface. After some internet searching I finally found the URL and just pasted it directly into my browser (sorry I didn't save it...). This let me then de-register the 2nd key. Ok now to register it again... that worked. Next step go back and disable SMS, right? Well I did that, logged in again, and this time it didn't ask for a Yubikey - it just logged in and then immediately told me I need to enable SMS. So I did that. Now it tells me I have no Yubikeys registered. So I try to register key #1 and I get an error message that that key is already registered - even though Vanguard's site doesn't list any keys already registered. Logging out and logging back in it requires SMS authentication. I figured I confused the poor system and need to wait a day.

Today: Log in again (with SMS) and go to register Yubikey #1: success! Then register Yubikey #2: success! Logging back out and in again, I can use the Yubikey. Trying to turn off SMS: it won't let me! I figure the poor system is confused again so rather than mess up my account I'll wait until Monday to try to turn off SMS (while leaving the 2 Yubikeys enabled).

[Fremdon Ferndock]

I believe I may have found a solution to having the extra step of having to key in the Yubi PIN when I log in to Vanguard. This all started when I re-registered the Yubi on Vanguard. When re-registering, I was interrogated for a FIDO2 PIN. I had no idea what the PIN was - didn't even know I had one so I used Yubi Manager to reset and create a new one I knew. Then after re-registering the key, I had to enter the PIN every time I logged onto Vanguard.

I got to thinking that maybe having a FIDO2 PIN in the first place was the problem. If a FIDO2 PIN is set, the Yubi asks for it when logging on with FIDO2. So, I used Manager to reset the Yubi and wipe out the FIDO2 PIN. Then I de-registered and re-registered the Yubi on Vanguard. So far at least, I'm not being interrogated for a PIN by the Yubi when I log on. Tried it a couple times, but didn't want to do anymore testing right now and possibly get locked out of Vanguard for too many sequential log ins.

So, if you are having this same issue and want to get rid of it, just use Yubi Manager to reset the Yubi and wipe out the PIN. Then re-register the key without a PIN on Vanguard. Some people might actually like having a PIN, however, because it provides the extra security that the Yubi can't be used without knowing the Yubi PIN. For me, I figured the chances of someone having access to my physical Yubi was pretty minimal so I'd rather not deal with that extra step each time I'm logging on.

[increment]

So, if you are having this same issue and want to get rid of it, just use Yubi Manager to reset the Yubi and wipe out the PIN. Then re-register the key without a PIN on Vanguard.

Yubico support warns, "If you are being prompted for a FIDO2 [PIN] and don't know what it is, you will need to reset the YubiKey's FIDO2 function to blank/reset the PIN. Be advised! - this procedure will effectively unregister the key with every account it has been registered with using FIDO U2F or FIDO2, so we strongly recommend taking precautionary measures (see below) prior to resetting."

So be careful if you have registered your key anywhere else (e.g., id.me).

[Fremdon Ferndock]

So, if you are having this same issue and want to get rid of it, just use Yubi Manager to reset the Yubi and wipe out the PIN. Then re-register the key without a PIN on Vanguard.

Yubico support warns, "If you are being prompted for a FIDO2 [PIN] and don't know what it is, you will need to reset the YubiKey's FIDO2 function to blank/reset the PIN. Be advised! - this procedure will effectively unregister the key with every account it has been registered with using FIDO U2F or FIDO2, so we strongly recommend taking precautionary measures (see below) prior to resetting."

So be careful if you have registered your key anywhere else (e.g., id.me).

Yes, for sure. If you reset the key, it will render it unusable at all sites where it was registered.

[StevieG72]

This happened to me when I first got a Yubikey. If my memory serves me correctly I simply was not following the guideline for using 6 characters to name Yubikey. Now the site did not point out this as being the error, it just gave me the failed message / contact Vangaurd.

I just updated mine, no issues.