Vanguard: Upgrading Yubikeys

Have a question about your personal investments? No matter how simple or complex, you can ask it here.
Topic Author
jamesthebaker
Posts: 37
Joined: Sun Feb 21, 2016 4:48 pm

Vanguard: Upgrading Yubikeys

Post by jamesthebaker »

When I logged in to Vanguard today, I received the message that I had until September 20 to upgrade my Yubikeys.

I was successful in upgrading all 3 of my Yubikeys on my account, no issues. I use the same 3 keys for my wife's account, and when I attempt to upgrade her account I keep getting the message that "we are experiencing technical difficulties, please try again or contact Vanguard."

Does anybody know why I was successful in upgrading one account but not the second account? Any ideas? I hate to contact Vanguard as I've usually had poor experiences with that.

Thanks
RadAudit
Posts: 4210
Joined: Mon May 26, 2008 10:20 am
Location: Second star on the right and straight on 'til morning

Re: Vanguard: Upgrading Yubikeys

Post by RadAudit »

jamesthebaker wrote: Tue Aug 02, 2022 4:01 pm I received the message that I had until September 20 to upgrade my Yubikeys.
What's a Yubikey?
FI is the best revenge. LBYM. Invest the rest. Stay the course. Die anyway. - PS: The cavalry isn't coming, kids. You are on your own.
Topic Author
jamesthebaker
Posts: 37
Joined: Sun Feb 21, 2016 4:48 pm

Re: Vanguard: Upgrading Yubikeys

Post by jamesthebaker »

A Yubikey is a physical key that you plug into your computer for secure, 2-factor authentication of your account.
afan
Posts: 6962
Joined: Sun Jul 25, 2010 4:01 pm

Re: Vanguard: Upgrading Yubikeys

Post by afan »

It worked for me, but perhaps it was a browser issue?

Did you use the same computer and browser for both accounts? Did you do the standard of clearing cookies?
We don't know how to beat the market on a risk-adjusted basis, and we don't know anyone that does know either | --Swedroe | We assume that markets are efficient, that prices are right | --Fama
PizzaEater
Posts: 69
Joined: Wed Apr 10, 2019 1:35 pm

Re: Vanguard: Upgrading Yubikeys

Post by PizzaEater »

I'm experiencing the same issue on my account (" ... technical difficulties ..."). I tried with 2 different browsers.
itaos
Posts: 70
Joined: Tue Aug 10, 2010 10:58 am

Re: Vanguard: Upgrading Yubikeys

Post by itaos »

Same issue. Called them, they removed the key and tried again still no luck. tried firefox and edge. They started a ticket fwiw
Last edited by itaos on Tue Aug 02, 2022 5:36 pm, edited 2 times in total.
User avatar
anon_investor
Posts: 12367
Joined: Mon Jun 03, 2019 1:43 pm

Re: Vanguard: Upgrading Yubikeys

Post by anon_investor »

We had no issues updating all 4 Yubikeys on mine and my spouse's Vanguard accounts. We used the same browser/computer (Chrome/Windows).
Topic Author
jamesthebaker
Posts: 37
Joined: Sun Feb 21, 2016 4:48 pm

Re: Vanguard: Upgrading Yubikeys

Post by jamesthebaker »

Yes, using the same computer, windows 11. Have tried latest versions of both Chrome and Firefox. I guess I could try Edge. We'll see.
Fremdon Ferndock
Posts: 553
Joined: Fri Dec 24, 2021 12:26 pm

Re: Vanguard: Upgrading Yubikeys

Post by Fremdon Ferndock »

I guess I just did this with a Mac running Chrome. Only I deleted my Yubi and then re-registered it from scratch. I presume this worked since I've not seen anything to the contrary. Now I have to enter the PIN for the Yubi each time I log on. I didn't have to do that before. Is that a feature of Fido2? If so, I don't like it. Don't see the point either, because you can just opt for a text code to log in, so if somebody doesn't know the Yubi PIN that is no deterrent.
"Risk is what’s left over when you think you’ve thought of everything." ~ Morgan Housel
Diluted Waters
Posts: 74
Joined: Sun Sep 13, 2020 7:35 pm

Re: Vanguard: Upgrading Yubikeys

Post by Diluted Waters »

Fremdon Ferndock wrote: Tue Aug 02, 2022 7:27 pm I guess I just did this with a Mac running Chrome. Only I deleted my Yubi and then re-registered it from scratch. I presume this worked since I've not seen anything to the contrary. Now I have to enter the PIN for the Yubi each time I log on. I didn't have to do that before. Is that a feature of Fido2? If so, I don't like it. Don't see the point either, because you can just opt for a text code to log in, so if somebody doesn't know the Yubi PIN that is no deterrent.
I reregistered my Yubikey 5 NFCs from the link associated with the sign-on notice, but am puzzled by some reporting the need to now enter a PIN when signing on. I don't have to do that and I was not asked to supply a PIN when I re-registered. Any ideas why it's working differently for my keys than others?

-DW
wander
Posts: 4195
Joined: Sat Oct 04, 2008 9:10 am

Re: Vanguard: Upgrading Yubikeys

Post by wander »

I too don't see the point of Vanguard asking upgrading Yubikeys by re-registering the same key I have used. It's wasting everyone's time.
Fremdon Ferndock
Posts: 553
Joined: Fri Dec 24, 2021 12:26 pm

Re: Vanguard: Upgrading Yubikeys

Post by Fremdon Ferndock »

Diluted Waters wrote: Tue Aug 02, 2022 8:16 pm
Fremdon Ferndock wrote: Tue Aug 02, 2022 7:27 pm I guess I just did this with a Mac running Chrome. Only I deleted my Yubi and then re-registered it from scratch. I presume this worked since I've not seen anything to the contrary. Now I have to enter the PIN for the Yubi each time I log on. I didn't have to do that before. Is that a feature of Fido2? If so, I don't like it. Don't see the point either, because you can just opt for a text code to log in, so if somebody doesn't know the Yubi PIN that is no deterrent.
I reregistered my Yubikey 5 NFCs from the link associated with the sign-on notice, but am puzzled by some reporting the need to now enter a PIN when signing on. I don't have to do that and I was not asked to supply a PIN when I re-registered. Any ideas why it's working differently for my keys than others?

-DW
Yeh, I'd like to know that. Vanguard doesn't provide any information and this is an obscure subject. Really annoying. The PIN I have to enter is the Yubi Pin. I use the Yubi on other websites and don't have to enter a PIN. I guess this is somehow related to Fido2 but I forgot to take that course in grad school. Ahhhhhhhhhhhh!!!!!!!!!!!!!
"Risk is what’s left over when you think you’ve thought of everything." ~ Morgan Housel
tlveik
Posts: 5
Joined: Sun Jan 16, 2022 10:18 pm

Re: Vanguard: Upgrading Yubikeys

Post by tlveik »

wander wrote: Wed Aug 03, 2022 4:55 am I too don't see the point of Vanguard asking upgrading Yubikeys by re-registering the same key I have used. It's wasting everyone's time.
Re-registering the key and adding a pin increases security. The new pin prevents anyone from finding your lost key (or stealing it) and then using it to get into your account. They can't get in because they don't know your pin. Granted, they also need your username and password, but the added pin does increase security. It effectively adds two-factor to the key itself.
PizzaEater
Posts: 69
Joined: Wed Apr 10, 2019 1:35 pm

Re: Vanguard: Upgrading Yubikeys

Post by PizzaEater »

tlveik wrote: Wed Aug 03, 2022 8:17 am
wander wrote: Wed Aug 03, 2022 4:55 am I too don't see the point of Vanguard asking upgrading Yubikeys by re-registering the same key I have used. It's wasting everyone's time.
Re-registering the key and adding a pin increases security. The new pin prevents anyone from finding your lost key (or stealing it) and then using it to get into your account. They can't get in because they don't know your pin. Granted, they also need your username and password, but the added pin does increase security. It effectively adds two-factor to the key itself.
That's not secure enough! We need two-factor authentication for the 2nd-factor of our two-factor authentication (i.e. Yubikey)!
Fremdon Ferndock
Posts: 553
Joined: Fri Dec 24, 2021 12:26 pm

Re: Vanguard: Upgrading Yubikeys

Post by Fremdon Ferndock »

tlveik wrote: Wed Aug 03, 2022 8:17 am
wander wrote: Wed Aug 03, 2022 4:55 am I too don't see the point of Vanguard asking upgrading Yubikeys by re-registering the same key I have used. It's wasting everyone's time.
Re-registering the key and adding a pin increases security. The new pin prevents anyone from finding your lost key (or stealing it) and then using it to get into your account. They can't get in because they don't know your pin. Granted, they also need your username and password, but the added pin does increase security. It effectively adds two-factor to the key itself.
Well, not at Vanguard since they can bypass the key altogether if they have my cellphone or can otherwise intercept the text code. I'm more worried about that than someone snatching my Yubikey.
"Risk is what’s left over when you think you’ve thought of everything." ~ Morgan Housel
wander
Posts: 4195
Joined: Sat Oct 04, 2008 9:10 am

Re: Vanguard: Upgrading Yubikeys

Post by wander »

tlveik wrote: Wed Aug 03, 2022 8:17 am
wander wrote: Wed Aug 03, 2022 4:55 am I too don't see the point of Vanguard asking upgrading Yubikeys by re-registering the same key I have used. It's wasting everyone's time.
Re-registering the key and adding a pin increases security. The new pin prevents anyone from finding your lost key (or stealing it) and then using it to get into your account. They can't get in because they don't know your pin. Granted, they also need your username and password, but the added pin does increase security. It effectively adds two-factor to the key itself.
It does not ask for any PIN. It simply just re-registers my old key. I still have to type my password anyway. Basically, I don't see any added security implementation.
Fremdon Ferndock
Posts: 553
Joined: Fri Dec 24, 2021 12:26 pm

Re: Vanguard: Upgrading Yubikeys

Post by Fremdon Ferndock »

Maybe I'll try de-registering the keys and re-registering to see if I still have to enter the Yubi PIN every time. Not that big a deal, it just seems unnecessary to me. I started using the Yubi at Vanguard in the first place so I wouldn't have to type 2FA codes in, not because I thought it was more secure, because they let you bypass it. Now I'm back typing in codes.
"Risk is what’s left over when you think you’ve thought of everything." ~ Morgan Housel
wmvink
Posts: 101
Joined: Sat Apr 13, 2013 12:44 am

Re: Vanguard: Upgrading Yubikeys

Post by wmvink »

I tried Chrome and Edge and both failed.

With the Yubikey, I basically get into a loop where it takes me back to the "Name your key" page after walking through the Windows-based set up. It's an endless loop.

With the Android phone option, Google Authenticator says "Cannot interpret QR code".

I figured I post this here and see if others have had same issues before I reach out to Vanguard.
Fremdon Ferndock
Posts: 553
Joined: Fri Dec 24, 2021 12:26 pm

Re: Vanguard: Upgrading Yubikeys

Post by Fremdon Ferndock »

wmvink wrote: Wed Aug 03, 2022 9:49 am I tried Chrome and Edge and both failed.

With the Yubikey, I basically get into a loop where it takes me back to the "Name your key" page after walking through the Windows-based set up. It's an endless loop.

With the Android phone option, Google Authenticator says "Cannot interpret QR code".

I figured I post this here and see if others have had same issues before I reach out to Vanguard.
I would try de-registering your key and re-registering it before you get into another endless look trying to reach out to Vanguard. Be sure that you can still log in using 2FA with code sent to your phone before de-registering your key
"Risk is what’s left over when you think you’ve thought of everything." ~ Morgan Housel
User avatar
changingtimes
Posts: 401
Joined: Mon Jul 24, 2017 9:28 am

Re: Vanguard: Upgrading Yubikeys

Post by changingtimes »

I think I'll wait until closer to the Sept. 20 deadline, and let you guys work out all of the kinks. :)
Fremdon Ferndock
Posts: 553
Joined: Fri Dec 24, 2021 12:26 pm

Re: Vanguard: Upgrading Yubikeys

Post by Fremdon Ferndock »

Well, I found out something. Apparently, the Yubi asking for a PIN is related to the browser being used. I googled some info from Yubico and it seemed to say that the site you are logging into can require this, but if it isn't requested then the browser might default to requiring it. I've been using Chrome on my Mac and being required to enter the Yubi PIN. But when I switched to Firefox, the PIN was not requested. So apparently, that's a browser thing with FIDO2 on Vanguard. BTW, I first tried Safari and turns out that browser doesn't support the use of security keys at all.
"Risk is what’s left over when you think you’ve thought of everything." ~ Morgan Housel
Tarheelstrummer
Posts: 7
Joined: Sun Jan 19, 2020 7:31 am

Re: Vanguard: Upgrading Yubikeys

Post by Tarheelstrummer »

Fremdon Ferndock wrote: Tue Aug 02, 2022 7:27 pm I guess I just did this with a Mac running Chrome. Only I deleted my Yubi and then re-registered it from scratch. I presume this worked since I've not seen anything to the contrary. Now I have to enter the PIN for the Yubi each time I log on. I didn't have to do that before. Is that a feature of Fido2? If so, I don't like it. Don't see the point either, because you can just opt for a text code to log in, so if somebody doesn't know the Yubi PIN that is no deterrent.
You can also opt out of the ability to use an SMS code as a backup by going into your Vanguard security settings. I have done so because allowing a text code defeats the purpose of using a security key in two-factor authentication. Vanguard apparently will allow you to opt out of SMS code backup only if you have two security keys (a primary and backup) registered.

Like some (but apparently not all) of the other commenters who have re-authorized their Yubikeys under the new Vanguard system, I am now required to enter a pin before I touch the key.
MrJedi
Posts: 2213
Joined: Wed May 06, 2020 11:42 am

Re: Vanguard: Upgrading Yubikeys

Post by MrJedi »

The PIN is an extra feature of FIDO2/Webauthn. It's up to the website to decide if a PIN or a touch is required or not. Those aren't inherently required by FIDO2, just extra options.
MrJedi
Posts: 2213
Joined: Wed May 06, 2020 11:42 am

Re: Vanguard: Upgrading Yubikeys

Post by MrJedi »

Diluted Waters wrote: Tue Aug 02, 2022 8:16 pm
Fremdon Ferndock wrote: Tue Aug 02, 2022 7:27 pm I guess I just did this with a Mac running Chrome. Only I deleted my Yubi and then re-registered it from scratch. I presume this worked since I've not seen anything to the contrary. Now I have to enter the PIN for the Yubi each time I log on. I didn't have to do that before. Is that a feature of Fido2? If so, I don't like it. Don't see the point either, because you can just opt for a text code to log in, so if somebody doesn't know the Yubi PIN that is no deterrent.
I reregistered my Yubikey 5 NFCs from the link associated with the sign-on notice, but am puzzled by some reporting the need to now enter a PIN when signing on. I don't have to do that and I was not asked to supply a PIN when I re-registered. Any ideas why it's working differently for my keys than others?

-DW
Did you ever set a PIN on your Yubikey with the manager?
RubyTuesday
Posts: 1923
Joined: Fri Oct 19, 2012 11:24 am

Re: Vanguard: Upgrading Yubikeys

Post by RubyTuesday »

Seems like I recall having a similar error when I tried to name my key using spaces in the middle of the name (e.g. “Yubi 5ci-1”). Did you have any white space in your key name?
“Doing nothing is better than being busy doing nothing.” – Lao Tzu
MrJedi
Posts: 2213
Joined: Wed May 06, 2020 11:42 am

Re: Vanguard: Upgrading Yubikeys

Post by MrJedi »

Fremdon Ferndock wrote: Wed Aug 03, 2022 11:24 am Well, I found out something. Apparently, the Yubi asking for a PIN is related to the browser being used. I googled some info from Yubico and it seemed to say that the site you are logging into can require this, but if it isn't requested then the browser might default to requiring it. I've been using Chrome on my Mac and being required to enter the Yubi PIN. But when I switched to Firefox, the PIN was not requested. So apparently, that's a browser thing with FIDO2 on Vanguard. BTW, I first tried Safari and turns out that browser doesn't support the use of security keys at all.
I have to use PIN with my Firefox.

Personally, I'm inclined to think Vanguard's implementation is messed up and buggy.
Fremdon Ferndock
Posts: 553
Joined: Fri Dec 24, 2021 12:26 pm

Re: Vanguard: Upgrading Yubikeys

Post by Fremdon Ferndock »

MrJedi wrote: Wed Aug 03, 2022 12:50 pm
Fremdon Ferndock wrote: Wed Aug 03, 2022 11:24 am Well, I found out something. Apparently, the Yubi asking for a PIN is related to the browser being used. I googled some info from Yubico and it seemed to say that the site you are logging into can require this, but if it isn't requested then the browser might default to requiring it. I've been using Chrome on my Mac and being required to enter the Yubi PIN. But when I switched to Firefox, the PIN was not requested. So apparently, that's a browser thing with FIDO2 on Vanguard. BTW, I first tried Safari and turns out that browser doesn't support the use of security keys at all.
I have to use PIN with my Firefox.

Personally, I'm inclined to think Vanguard's implementation is messed up and buggy.
Yeh. This is just weird. Are you using a Mac? Maybe something is different with Firefox and Chrome for Mac.
"Risk is what’s left over when you think you’ve thought of everything." ~ Morgan Housel
Freefun
Posts: 1034
Joined: Sun Jan 14, 2018 3:55 pm

Re: Vanguard: Upgrading Yubikeys

Post by Freefun »

did you try clearing your cookies etc.?
Remember when you wanted what you currently have?
MrJedi
Posts: 2213
Joined: Wed May 06, 2020 11:42 am

Re: Vanguard: Upgrading Yubikeys

Post by MrJedi »

Fremdon Ferndock wrote: Wed Aug 03, 2022 1:41 pm
MrJedi wrote: Wed Aug 03, 2022 12:50 pm
Fremdon Ferndock wrote: Wed Aug 03, 2022 11:24 am Well, I found out something. Apparently, the Yubi asking for a PIN is related to the browser being used. I googled some info from Yubico and it seemed to say that the site you are logging into can require this, but if it isn't requested then the browser might default to requiring it. I've been using Chrome on my Mac and being required to enter the Yubi PIN. But when I switched to Firefox, the PIN was not requested. So apparently, that's a browser thing with FIDO2 on Vanguard. BTW, I first tried Safari and turns out that browser doesn't support the use of security keys at all.
I have to use PIN with my Firefox.

Personally, I'm inclined to think Vanguard's implementation is messed up and buggy.
Yeh. This is just weird. Are you using a Mac? Maybe something is different with Firefox and Chrome for Mac.
Windows 10 for me.
User avatar
Tubes
Posts: 1197
Joined: Wed Apr 22, 2020 6:33 am

Re: Vanguard: Upgrading Yubikeys

Post by Tubes »

Following the link to re-register also lead me to "technical difficulties."

Thanks to the discussion above, I successfully did the job by deleting, then registering.

Thank you.
Fremdon Ferndock
Posts: 553
Joined: Fri Dec 24, 2021 12:26 pm

Re: Vanguard: Upgrading Yubikeys

Post by Fremdon Ferndock »

By this point I"m so sick and tired of Yubikey that I'm considering a garbage receptacle and going back to SMS codes. It falls into the "if you don't understand it, then don't invest in it" advice.
"Risk is what’s left over when you think you’ve thought of everything." ~ Morgan Housel
User avatar
Tubes
Posts: 1197
Joined: Wed Apr 22, 2020 6:33 am

Re: Vanguard: Upgrading Yubikeys

Post by Tubes »

Fremdon Ferndock wrote: Wed Aug 03, 2022 3:40 pm By this point I"m so sick and tired of Yubikey that I'm considering a garbage receptacle and going back to SMS codes. It falls into the "if you don't understand it, then don't invest in it" advice.
Your garbage receptacle has a USB port for a security key? :D
MrJedi
Posts: 2213
Joined: Wed May 06, 2020 11:42 am

Re: Vanguard: Upgrading Yubikeys

Post by MrJedi »

Fremdon Ferndock wrote: Wed Aug 03, 2022 3:40 pm By this point I"m so sick and tired of Yubikey that I'm considering a garbage receptacle and going back to SMS codes. It falls into the "if you don't understand it, then don't invest in it" advice.
I'm not super fond of Vanguard's implementation, as it seems pretty half baked.

However I do very much like having it for things like my Google and Microsoft accounts. There is a lot of sensitive data, email/password reset type stuff there so I feel a lot better with those accounts locked down tightly.

Financial accounts like Vanguard, bank accounts, etc. are so heavily regulated and tracked, it's hard to see some fraudulent activity being more than an annoyance to untangle vs. some real permanent damage from having personal data, emails, etc. wrangled out of a Google account, Microsoft account, etc.
User avatar
anon_investor
Posts: 12367
Joined: Mon Jun 03, 2019 1:43 pm

Re: Vanguard: Upgrading Yubikeys

Post by anon_investor »

Tubes wrote: Wed Aug 03, 2022 3:56 pm
Fremdon Ferndock wrote: Wed Aug 03, 2022 3:40 pm By this point I"m so sick and tired of Yubikey that I'm considering a garbage receptacle and going back to SMS codes. It falls into the "if you don't understand it, then don't invest in it" advice.
Your garbage receptacle has a USB port for a security key? :D
Does a Yubikey secured garbage keep out dumpster divers and wild animals out equally as well? :twisted:
hudson
Posts: 5664
Joined: Fri Apr 06, 2007 9:15 am

Re: Vanguard: Upgrading Yubikeys

Post by hudson »

MrJedi wrote: Wed Aug 03, 2022 12:46 pm The PIN is an extra feature of FIDO2/Webauthn. It's up to the website to decide if a PIN or a touch is required or not. Those aren't inherently required by FIDO2, just extra options.
I recently updated my 3 Yubikeys…maybe this morning?

#! The Yubikey already had a pin; I don't know what website had me enter a pin. I did have a record of the pin, so I was good. Success.

#2 Vanguard didn't ask for a pin and didn't ask me to add a pin: Success without a pin

# 3 Vanguard asked me to add a pin and enter it twice. I recorded my new pin. Success

Bottom line: Two with pins and one without...no problems.
Fremdon Ferndock
Posts: 553
Joined: Fri Dec 24, 2021 12:26 pm

Re: Vanguard: Upgrading Yubikeys

Post by Fremdon Ferndock »

Before the "upgrade" on Vanguard, my logon process was to use my password manager to autofill my ID and Password, then touch the Yubi, and success.

Now it's (1) use password manager to autofill, (2) touch Yubi, (3) key in Yubi password, (4) touch Yubi again. This is quite an improvement! I"m looking forward to the next "upgrade" which might add a couple more steps to the process. :oops:
"Risk is what’s left over when you think you’ve thought of everything." ~ Morgan Housel
gavinsiu
Posts: 492
Joined: Sun Nov 14, 2021 12:42 pm

Re: Vanguard: Upgrading Yubikeys

Post by gavinsiu »

Fremdon Ferndock wrote: Wed Aug 03, 2022 8:28 pm Before the "upgrade" on Vanguard, my logon process was to use my password manager to autofill my ID and Password, then touch the Yubi, and success.

Now it's (1) use password manager to autofill, (2) touch Yubi, (3) key in Yubi password, (4) touch Yubi again. This is quite an improvement! I"m looking forward to the next "upgrade" which might add a couple more steps to the process. :oops:
I think the PIN for FIDO2 is actually optional. The pin is required if you attempt to use the Yubikey for passwordless login. The idea is that your PIN is like a second factor. If someone steals your key, they can't login because they need the pin. When you use Yubikey as a 2FA, it's not necessary because they would need to know the user name and password if they found your key. There is a limited number of times you can enter the wrong pin before the Yubikey reset and do a factory reset. If that happens, the key is no longer register to your account. I know I managed to do this.

If the pin is too much of a problem, Yubikey and I think Feitan sells a version with a fingerprint reader. Instead of typing in a pin, you could touch the fingerprint sensor on the hardware key.

Frankly, I think Vanguard once again they concentrated on the wrong thing. Yubikey is not secure enough! Let's add a pin, but they won't fix the vulnerability with SMS recovery.
boglesmind
Posts: 310
Joined: Sun Jan 05, 2014 1:07 pm

Re: Vanguard: Upgrading Yubikeys - SUCCESS

Post by boglesmind »

A while ago: YubiKey registered with Vanguard previously. I *had* used the YubiKey manager app on Windows 10 to set up a PIN for FIDO2 protocol (don't remember why I did it --- it was so long ago --- I believe it was required by YubiKey app when I first configured the yubikey (usb c) using the app). Had saved the FIDO2 PIN in a password manager.

Now: Logged into Vanguard with Yubikey as usual ( NO PIN required, just touching the key is enough) and was prompted to upgrade/reregister the key. Went thru the steps (without deleting the key first) and was successful in doing so. NO PIN was requested by Vanguard. I saw an interesting note in this process which said that I could use some android phones as 2FA.

Intrigued, I logged into Vanguard using YubiKey first and then removed the key physically from the USB slot. Then started to ADD a security key to Vanguard using Chrome/Brave/Firefox on Windows10. Where Vanguard site says insert the security key, hit cancel and then 2 options appear - one of them allows one to use an Android phone as your security key. Some Google Pixel phones have built-in Titan security chip made by Google and it can do the FIDO2 authentication. When I select this option, Vanguard shows a QR code and in small print below it says "use your camera app or QR code reader". NOTE: it does NOT say use Google Authenticator app since it cannot be used. So, I use the camera app on my phone to scan the QR code and sure enough a FIDO2: url appears below the image in the camera app itself. Touch it and the phone now shows "Enter PIN" and Vanguard wants to authenticate you. Most frustrating part is trying ALL FIDO2 pins I have ever set and nothing worked. Cancelled the process and retried over two days multiple times leading to more frustration. Today, I thought about this more: Since I have NOT set up a PIN with Vanguard, the PIN request is NOT coming from Vanguard. Vanguard is simple trying to ensure you are using the phone and not some one else, how do you prove you are using the phone? Tried screen lock PIN at this stage and SUCCESS! The process went thru and my phone was added as a second security key. So it was the FIDO2 url trying to ensure it was I who was using the phone and asking for screen lock PIN without saying so!

Boglesmind
boglesmind
Posts: 310
Joined: Sun Jan 05, 2014 1:07 pm

Re: Vanguard: Upgrading Yubikeys

Post by boglesmind »

Fremdon Ferndock wrote: Tue Aug 02, 2022 7:27 pm I guess I just did this with a Mac running Chrome. Only I deleted my Yubi and then re-registered it from scratch. I presume this worked since I've not seen anything to the contrary. Now I have to enter the PIN for the Yubi each time I log on. I didn't have to do that before. Is that a feature of Fido2? If so, I don't like it. Don't see the point either, because you can just opt for a text code to log in, so if somebody doesn't know the Yubi PIN that is no deterrent.
We use Windows 10 Chrome/Brave/Firefox browser. Vanguard didn't ask for a PIN after re-registering and using Yubikey (usb-c version).

Boglesmind
boglesmind
Posts: 310
Joined: Sun Jan 05, 2014 1:07 pm

Re: Vanguard: Upgrading Yubikeys

Post by boglesmind »

wmvink wrote: Wed Aug 03, 2022 9:49 am I tried Chrome and Edge and both failed.

With the Yubikey, I basically get into a loop where it takes me back to the "Name your key" page after walking through the Windows-based set up. It's an endless loop.

With the Android phone option, Google Authenticator says "Cannot interpret QR code".

I figured I post this here and see if others have had same issues before I reach out to Vanguard.
Use Google camera app to scan the QR code which will show you FIDO2 url that touch or click. Authenticator app does more than scan QR code.

Boglesmind
boglesmind
Posts: 310
Joined: Sun Jan 05, 2014 1:07 pm

Re: Vanguard: Upgrading Yubikeys

Post by boglesmind »

MrJedi wrote: Wed Aug 03, 2022 12:48 pm
Diluted Waters wrote: Tue Aug 02, 2022 8:16 pm
Fremdon Ferndock wrote: Tue Aug 02, 2022 7:27 pm I guess I just did this with a Mac running Chrome. Only I deleted my Yubi and then re-registered it from scratch. I presume this worked since I've not seen anything to the contrary. Now I have to enter the PIN for the Yubi each time I log on. I didn't have to do that before. Is that a feature of Fido2? If so, I don't like it. Don't see the point either, because you can just opt for a text code to log in, so if somebody doesn't know the Yubi PIN that is no deterrent.
I reregistered my Yubikey 5 NFCs from the link associated with the sign-on notice, but am puzzled by some reporting the need to now enter a PIN when signing on. I don't have to do that and I was not asked to supply a PIN when I re-registered. Any ideas why it's working differently for my keys than others?

-DW
Did you ever set a PIN on your Yubikey with the manager?
Good question. Am not DW but I too HAD set a PIN for the YubiKey long ago using yubikey manager app when I first got the YubiKey.
boglesmind
Posts: 310
Joined: Sun Jan 05, 2014 1:07 pm

Re: Vanguard: Upgrading Yubikeys

Post by boglesmind »

MrJedi wrote: Wed Aug 03, 2022 12:48 pm
Diluted Waters wrote: Tue Aug 02, 2022 8:16 pm
Fremdon Ferndock wrote: Tue Aug 02, 2022 7:27 pm I guess I just did this with a Mac running Chrome. Only I deleted my Yubi and then re-registered it from scratch. I presume this worked since I've not seen anything to the contrary. Now I have to enter the PIN for the Yubi each time I log on. I didn't have to do that before. Is that a feature of Fido2? If so, I don't like it. Don't see the point either, because you can just opt for a text code to log in, so if somebody doesn't know the Yubi PIN that is no deterrent.
I reregistered my Yubikey 5 NFCs from the link associated with the sign-on notice, but am puzzled by some reporting the need to now enter a PIN when signing on. I don't have to do that and I was not asked to supply a PIN when I re-registered. Any ideas why it's working differently for my keys than others?

-DW
Did you ever set a PIN on your Yubikey with the manager?
Good question. Am not DW but I too HAD set a PIN for the YubiKey long ago using yubikey manager app when I first got the YubiKey.
boglesmind
Posts: 310
Joined: Sun Jan 05, 2014 1:07 pm

Re: Vanguard: Upgrading Yubikeys

Post by boglesmind »

Fremdon Ferndock wrote: Wed Aug 03, 2022 8:11 am
Diluted Waters wrote: Tue Aug 02, 2022 8:16 pm
Fremdon Ferndock wrote: Tue Aug 02, 2022 7:27 pm I guess I just did this with a Mac running Chrome. Only I deleted my Yubi and then re-registered it from scratch. I presume this worked since I've not seen anything to the contrary. Now I have to enter the PIN for the Yubi each time I log on. I didn't have to do that before. Is that a feature of Fido2? If so, I don't like it. Don't see the point either, because you can just opt for a text code to log in, so if somebody doesn't know the Yubi PIN that is no deterrent.
I reregistered my Yubikey 5 NFCs from the link associated with the sign-on notice, but am puzzled by some reporting the need to now enter a PIN when signing on. I don't have to do that and I was not asked to supply a PIN when I re-registered. Any ideas why it's working differently for my keys than others?

-DW
Yeh, I'd like to know that. Vanguard doesn't provide any information and this is an obscure subject. Really annoying. The PIN I have to enter is the Yubi Pin. I use the Yubi on other websites and don't have to enter a PIN. I guess this is somehow related to Fido2 but I forgot to take that course in grad school. Ahhhhhhhhhhhh!!!!!!!!!!!!!
There is a reddit thread on Yubikey, FIDO2 protocol etc.
Reddit thread
YubiCO FAQ
FIDO2 Multi-factor authentication

Boglesmind
n00b
Posts: 133
Joined: Sun Feb 03, 2013 8:36 pm

Re: Vanguard: Upgrading Yubikeys

Post by n00b »

I found, after updating my Yubikeys on the Vanguard site, that DW got an error trying to update hers in the same browser (Chrome on Mac). She was able to get in and update her Yubikeys by using a different browser, perhaps in incognito mode -- I don't recall. The second browser was probably Opera on Mac.
Grasshopper
Posts: 1157
Joined: Sat Oct 09, 2010 3:52 pm

Re: Vanguard: Upgrading Yubikeys

Post by Grasshopper »

Thanks, yes incognito mode allowed me to register my 3 keys.
PizzaEater
Posts: 69
Joined: Wed Apr 10, 2019 1:35 pm

Re: Vanguard: Upgrading Yubikeys

Post by PizzaEater »

I was finally able to re-register my 2 Yubikeys using the de-register and register trick. But it was a multi-day process:

Wife's account: We were able to re-register the 2 Yubikeys no problem (without de-registering first). SMS is still disabled in account settings (though when logging in to her account there is a link that we could presumable use to send an SMS code if the Yubikey is unavailable - we haven't tried it).

My account: Yesterday, in order to de-register 1 of the 2 Yubikeys I re-enabled SMS authentication. Then I de-registered 1 Yubikey and then registered it. Then I went to de-register the 2nd Yubikey, and oops, now I can't access the "old" Yubikey interface. After some internet searching I finally found the URL and just pasted it directly into my browser (sorry I didn't save it...). This let me then de-register the 2nd key. Ok now to register it again... that worked. Next step go back and disable SMS, right? Well I did that, logged in again, and this time it didn't ask for a Yubikey - it just logged in and then immediately told me I need to enable SMS. So I did that. Now it tells me I have no Yubikeys registered. So I try to register key #1 and I get an error message that that key is already registered - even though Vanguard's site doesn't list any keys already registered. Logging out and logging back in it requires SMS authentication. I figured I confused the poor system and need to wait a day.

Today: Log in again (with SMS) and go to register Yubikey #1: success! Then register Yubikey #2: success! Logging back out and in again, I can use the Yubikey. Trying to turn off SMS: it won't let me! I figure the poor system is confused again so rather than mess up my account I'll wait until Monday to try to turn off SMS (while leaving the 2 Yubikeys enabled).
Fremdon Ferndock
Posts: 553
Joined: Fri Dec 24, 2021 12:26 pm

Re: Vanguard: Upgrading Yubikeys

Post by Fremdon Ferndock »

I believe I may have found a solution to having the extra step of having to key in the Yubi PIN when I log in to Vanguard. This all started when I re-registered the Yubi on Vanguard. When re-registering, I was interrogated for a FIDO2 PIN. I had no idea what the PIN was - didn't even know I had one so I used Yubi Manager to reset and create a new one I knew. Then after re-registering the key, I had to enter the PIN every time I logged onto Vanguard.

I got to thinking that maybe having a FIDO2 PIN in the first place was the problem. If a FIDO2 PIN is set, the Yubi asks for it when logging on with FIDO2. So, I used Manager to reset the Yubi and wipe out the FIDO2 PIN. Then I de-registered and re-registered the Yubi on Vanguard. So far at least, I'm not being interrogated for a PIN by the Yubi when I log on. Tried it a couple times, but didn't want to do anymore testing right now and possibly get locked out of Vanguard for too many sequential log ins.

So, if you are having this same issue and want to get rid of it, just use Yubi Manager to reset the Yubi and wipe out the PIN. Then re-register the key without a PIN on Vanguard. Some people might actually like having a PIN, however, because it provides the extra security that the Yubi can't be used without knowing the Yubi PIN. For me, I figured the chances of someone having access to my physical Yubi was pretty minimal so I'd rather not deal with that extra step each time I'm logging on.
"Risk is what’s left over when you think you’ve thought of everything." ~ Morgan Housel
increment
Posts: 1046
Joined: Tue May 15, 2018 2:20 pm

Re: Vanguard: Upgrading Yubikeys

Post by increment »

Fremdon Ferndock wrote: Fri Aug 05, 2022 9:43 am So, if you are having this same issue and want to get rid of it, just use Yubi Manager to reset the Yubi and wipe out the PIN. Then re-register the key without a PIN on Vanguard.
Yubico support warns, "If you are being prompted for a FIDO2 [PIN] and don't know what it is, you will need to reset the YubiKey's FIDO2 function to blank/reset the PIN. Be advised! - this procedure will effectively unregister the key with every account it has been registered with using FIDO U2F or FIDO2, so we strongly recommend taking precautionary measures (see below) prior to resetting."

So be careful if you have registered your key anywhere else (e.g., id.me).
Fremdon Ferndock
Posts: 553
Joined: Fri Dec 24, 2021 12:26 pm

Re: Vanguard: Upgrading Yubikeys

Post by Fremdon Ferndock »

increment wrote: Fri Aug 05, 2022 9:58 am
Fremdon Ferndock wrote: Fri Aug 05, 2022 9:43 am So, if you are having this same issue and want to get rid of it, just use Yubi Manager to reset the Yubi and wipe out the PIN. Then re-register the key without a PIN on Vanguard.
Yubico support warns, "If you are being prompted for a FIDO2 [PIN] and don't know what it is, you will need to reset the YubiKey's FIDO2 function to blank/reset the PIN. Be advised! - this procedure will effectively unregister the key with every account it has been registered with using FIDO U2F or FIDO2, so we strongly recommend taking precautionary measures (see below) prior to resetting."

So be careful if you have registered your key anywhere else (e.g., id.me).
Yes, for sure. If you reset the key, it will render it unusable at all sites where it was registered. :oops:
"Risk is what’s left over when you think you’ve thought of everything." ~ Morgan Housel
User avatar
StevieG72
Posts: 1667
Joined: Wed Feb 05, 2014 9:00 pm

Re: Vanguard: Upgrading Yubikeys

Post by StevieG72 »

This happened to me when I first got a Yubikey. If my memory serves me correctly I simply was not following the guideline for using 6 characters to name Yubikey. Now the site did not point out this as being the error, it just gave me the failed message / contact Vangaurd.

I just updated mine, no issues.
Fools think their own way is right, but the wise listen to others.
Post Reply