Vanguard's new security key option

Discuss all general (i.e. non-personal) investing questions and issues, investing news, and theory.
Topic Author
pragmatist
Posts: 31
Joined: Sat Sep 10, 2016 8:46 pm

Vanguard's new security key option

Post by pragmatist »

Hey everyone,

I just noticed a new "security key" option in the account maintenance page. It appears that Vanguard now supports hardware multi-factor authentication using Yubikey, though you have to purchase them elsewhere.

Pragmatist
lostdog
Posts: 5361
Joined: Thu Feb 04, 2016 1:15 pm

Re: Vanguard's new security key option

Post by lostdog »

This is wonderful. I use a yubikey for my Google account.
Stocks-80% || Bonds-20% || VTI/VXUS/AOR
Topic Author
pragmatist
Posts: 31
Joined: Sat Sep 10, 2016 8:46 pm

Re: Vanguard's new security key option

Post by pragmatist »

The newer ones can be quite expensive, but they can be used for multiple websites. It seems the improvement from SMS to hardware may be worth it, though Vanguard makes you retain SMS as a backup, at least for now.

Pragmatist
Mav
Posts: 42
Joined: Tue Jan 05, 2016 9:55 pm

Re: Vanguard's new security key option

Post by Mav »

There are multiple articles in the news how relatively easy is to hack/change sim cards and, thus, re-route where sms is going. People call the provider and pretend that they lost/damaged their phone and ask the provider to activate a new sim card. With yubikey, it's virtually impossible.
lostdog
Posts: 5361
Joined: Thu Feb 04, 2016 1:15 pm

Re: Vanguard's new security key option

Post by lostdog »

I just enabled my key. Flawless setup.

I wonder if this can retract some investors from tinkering with their account.
Stocks-80% || Bonds-20% || VTI/VXUS/AOR
grok87
Posts: 10512
Joined: Tue Feb 27, 2007 8:00 pm

Re: Vanguard's new security key option

Post by grok87 »

Pretty cool.

Does anybody else do this like fidelity?
RIP Mr. Bogle.
User avatar
dbc47
Posts: 484
Joined: Thu Mar 01, 2007 10:02 am

Re: Vanguard's new security key option

Post by dbc47 »

Any recommendations on which model Yubikey to get? There are 4 models or so that seem to work but I can't figure out the difference and pricing varies between models too. I've just checked Amazon so far as a starting point.

Dan
:happy
lostdog
Posts: 5361
Joined: Thu Feb 04, 2016 1:15 pm

Re: Vanguard's new security key option

Post by lostdog »

Stocks-80% || Bonds-20% || VTI/VXUS/AOR
User avatar
heartwood
Posts: 2683
Joined: Sat Nov 23, 2013 12:40 pm

Re: Vanguard's new security key option

Post by heartwood »

Is there a link to an explanation of why Yubikey is preferable to the current 2-factor method of receiving a code?
jebmke
Posts: 25273
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: Vanguard's new security key option

Post by jebmke »

heartwood wrote:Is there a link to an explanation of why Yubikey is preferable to the current 2-factor method of receiving a code?
I can think of two reasons. One, if your phone is hacked, the text could be intercepted. Two, if your phone is stolen and someone uses it to access your account, they have the destination end of the second factor.
Stay hydrated; don't sweat the small stuff
Afty
Posts: 2387
Joined: Sun Sep 07, 2014 5:31 pm

Re: Vanguard's new security key option

Post by Afty »

heartwood wrote:Is there a link to an explanation of why Yubikey is preferable to the current 2-factor method of receiving a code?
There are a few reasons:

1) It's easy to pretend to be someone else and convince the telephone company to send your SMSes somewhere else. See https://www.wired.com/2016/06/hey-stop- ... ntication/

2) SMS and other numeric one-time pass codes are vulnerable to replay attacks. An attacker could spoof the Vanguard home page, collect your username, password, and one-time pass code, and then log in as you.

A Yubikey is not vulnerable to replay. The server sends a unique challenge and the Yubikey encrypts it. In the phishing scenario, if the attacker tried to log in with your credentials, the challenge would be different and the token would be invalid.
FlyingMoose
Posts: 630
Joined: Wed Mar 04, 2009 9:48 pm

Re: Vanguard's new security key option

Post by FlyingMoose »

Afty wrote:
heartwood wrote:Is there a link to an explanation of why Yubikey is preferable to the current 2-factor method of receiving a code?
There are a few reasons:

1) It's easy to pretend to be someone else and convince the telephone company to send your SMSes somewhere else. See https://www.wired.com/2016/06/hey-stop- ... ntication/

2) SMS and other numeric one-time pass codes are vulnerable to replay attacks. An attacker could spoof the Vanguard home page, collect your username, password, and one-time pass code, and then log in as you.

A Yubikey is not vulnerable to replay. The server sends a unique challenge and the Yubikey encrypts it. In the phishing scenario, if the attacker tried to log in with your credentials, the challenge would be different and the token would be invalid.
That's all well and good, but since Vanguard still requires you to leave the SMS option enabled, this doesn't protect you from (1) above. Also I don't understand how this protects you from (2), they could still be a man-in-the-middle even if you're using a token like this. It seems more like just a convenience because it's quicker than entering a code from a text message.
moshe
Posts: 565
Joined: Thu Dec 12, 2013 12:18 pm
Location: Boston, MA

Re: Vanguard's new security key option

Post by moshe »

It would be nice if they also supported, as fidelity does, the Symantec VIP app that runs on my phone. One less thing to lose.

~Moshe
My money has no emotions. ~Moshe | | I'm the world's greatest expert on my own opinion. ~Bruce Williams
User avatar
bobcat2
Posts: 6074
Joined: Tue Feb 20, 2007 2:27 pm
Location: just barely Outside the Beltway

Re: Vanguard's new security key option

Post by bobcat2 »

I use a Yubikey for LastPass and some other applications. When I tried to use the Yubikey option at Vanguard it failed to initiate. Also my Yubikey failed to work on LastPass until I rebooted.

What can I say? More excellent work from Vanguard. :annoyed

BobK
In finance risk is defined as uncertainty that is consequential (nontrivial). | The two main methods of dealing with financial risk are the matching of assets to goals & diversifying.
Mav
Posts: 42
Joined: Tue Jan 05, 2016 9:55 pm

Re: Vanguard's new security key option

Post by Mav »

I'm interested in learning the difference among the versions of yubikey, what people are actually using. I noted Amazon sells other "keys" as well, like FIDO. It seems yubikey has more "history," more proven.

Also, I googled yubikey alternatives:

https://news.ycombinator.com/item?id=11690774
https://www.reddit.com/r/linux/comments ... omponents/
https://news.ycombinator.com/item?id=10888186
Afty
Posts: 2387
Joined: Sun Sep 07, 2014 5:31 pm

Re: Vanguard's new security key option

Post by Afty »

FlyingMoose wrote:
Afty wrote:
heartwood wrote:Is there a link to an explanation of why Yubikey is preferable to the current 2-factor method of receiving a code?
There are a few reasons:

1) It's easy to pretend to be someone else and convince the telephone company to send your SMSes somewhere else. See https://www.wired.com/2016/06/hey-stop- ... ntication/

2) SMS and other numeric one-time pass codes are vulnerable to replay attacks. An attacker could spoof the Vanguard home page, collect your username, password, and one-time pass code, and then log in as you.

A Yubikey is not vulnerable to replay. The server sends a unique challenge and the Yubikey encrypts it. In the phishing scenario, if the attacker tried to log in with your credentials, the challenge would be different and the token would be invalid.
That's all well and good, but since Vanguard still requires you to leave the SMS option enabled, this doesn't protect you from (1) above. Also I don't understand how this protects you from (2), they could still be a man-in-the-middle even if you're using a token like this. It seems more like just a convenience because it's quicker than entering a code from a text message.
Well, that's not good if Vanguard is requiring SMS 2-factor.

#2 is about replay attacks, not man in the middle. Man in the middle is prevented by HTTPS. Replay is when the attacker gains access to your authentication tokens and can just reuse them to authenticate on an entirely different system and/or session.
vanguardinvestor915
Posts: 1
Joined: Sun Jan 01, 2017 11:19 am

Re: Vanguard's new security key option

Post by vanguardinvestor915 »

I found a comparison of the different YubiKeys here: https://www.yubico.com/products/yubikey-hardware/

YUBIKEY NEO is a little older, but offers NFC for use with logging into sites with your smartphone.

YUBIKEY 4 is a newer model, offers stronger and faster encryption, but lacks NFC, if you need that.

The FIDO U2F SECURITY KEY offers only one type of authentication: Fido U2F. The other keys offer several other types in addition to Fido U2F and may be used for other sites and services besides Vanguard, such as LastPass.
User avatar
beyou
Posts: 6868
Joined: Sat Feb 27, 2010 2:57 pm
Location: If you can make it there

Re: Vanguard's new security key option

Post by beyou »

moshe wrote:It would be nice if they also supported, as fidelity does, the Symantec VIP app that runs on my phone. One less thing to lose.

~Moshe
Etrade was using Symantec VIP in the past. I found that convenient when they moved from hardware (RSA) to software solution.
I have used RSA software too, works similarly to Symantec.

Personally I feel we are moving to a single device world and I simply don't want to carry multiple devices.
Symantec of RSA software solutions are both options I would use, but not getting any more hardware tokens.
Too inconvenient. Security is a tradeoff with convenience and I feel 2FA of almost any kind is adding security,
but if the solution makes it very difficult for me to access my account (such as not bringing the fob with me)
not going to use it long.
evestor
Posts: 184
Joined: Sat Feb 21, 2015 4:37 pm

Re: Vanguard's new security key option

Post by evestor »

Love that Vanguard is investing here but oh my do I wish they made another choice.
I will use this because I'm in the software security business so I do anything I can to protect my stuff. But this is a sure fire way to fail.
Best case this is used by a small # of people, ie we only helped a small # of people.
Worst case this is used by a small # of people and then deprecated by Vanguard because there was not much adoption.

They need to have a mass market play too, a la one of the GOOG authenticator app or whatever they choose. Something that runs off of my phone. Supporting this for the propeller heads like me is fine, but it can't be what we ask most users to use. And we need to protect most users.

Alternatively, this all changes if we see a great option appear that enables this form factor in a software token on the phone...
random_walker_77
Posts: 2207
Joined: Tue May 21, 2013 8:49 pm

Re: Vanguard's new security key option

Post by random_walker_77 »

I'm also really glad to see this. I think they should offer to give one of these hw keys to every one of their voyager and flagship customers -- it'd be a really nice marketing gesture and offer real value.

I'm a little torn on phone-based apps. What if your phone is stolen? On the other hand, it avoids sms interception and is probably "good enough." Still, something like this is nice for piece of mind when you have > voyager level assets at Vanguard.
User avatar
xystici
Posts: 320
Joined: Thu Nov 19, 2009 3:40 pm
Location: San Diego, Boston & Barcelona

Re: Vanguard's new security key option

Post by xystici »

what happens if you lose your key?
Trust yourself, Break the rules, Don't be afraid to fail, Don't listen to naysayers, Work your butt off. "It is in your moments of decision that your destiny is shaped. Choose now and well"
evestor
Posts: 184
Joined: Sat Feb 21, 2015 4:37 pm

Re: Vanguard's new security key option

Post by evestor »

random_walker_77 wrote:I'm also really glad to see this. I think they should offer to give one of these hw keys to every one of their voyager and flagship customers -- it'd be a really nice marketing gesture and offer real value.

I'm a little torn on phone-based apps. What if your phone is stolen? On the other hand, it avoids sms interception and is probably "good enough." Still, something like this is nice for piece of mind when you have > voyager level assets at Vanguard.
SMS + what you know is probably how to do over the web reset, if you choose to support that at all. If I were Vanguard I would do SMS + what you know + force them on to the phone with a human for reset.

As for the key/phone based form factor...this isn't perfection, it's the best option. :) Are we better off with hw keys used by ~10K people or a phone based authenticator in use by ~millions? I would submit this is a non-choice. We want to protect as many people as we can.
Losing your phone can be mitigated, ex: forcing phone pin or app pin or still requiring something you know at login to go with the phone pin (as Fidelity does) or...the list goes on.
mpsz
Posts: 516
Joined: Sat Jan 09, 2016 6:11 pm

Re: Vanguard's new security key option

Post by mpsz »

I'm really disappointed that you have to leave SMS on. This doesn't increase security at all.
nyclon
Posts: 660
Joined: Fri Oct 02, 2015 5:30 pm

Re: Vanguard's new security key option

Post by nyclon »

grok87 wrote:Pretty cool.

Does anybody else do this like fidelity?
I've been using this with Etrade for years. Incredible peace of mind.
boater07
Posts: 785
Joined: Sun Apr 15, 2007 7:44 pm
Location: Northwest

Re: Vanguard's new security key option

Post by boater07 »

Is there any hope for computer challenged??
This really hit home when the sharing of passwords came up in another post. Vanguard confirmed husband/wife
cannot even share passwords even with agent authorization in place. That has allowed me to handle her affairs
like RMDs etc. However, wife is unable to do the same since she has log in issues.
Some of the comments above like using aggregators seem to me would also violate sharing passwords.

Is V driving Seniors away? I'll be voicing my concern to them this week.
jds13
Posts: 9
Joined: Mon Mar 03, 2014 1:50 pm

Re: Vanguard's new security key option

Post by jds13 »

In addition to the hacking problems, it's usually possible to read incoming SMS messages without unlocking a phone. That's why NIST has recommended that SMS not be used in two-factor authentication. [NIST Special Publication 800-63B]

If you want to use a Yubikey to secure your Vanguard (and Google) accounts, there's no reason to get anything other than the $18 "FIDO U2F SECURITY KEY." The added features of the other devices are not used. Get two and keep one in a safe place in case you lose your primary key. You can register several keys on your Vanguard account. The same key can be used on multiple accounts, so you and your spouse can act as each other's backup.

Currently Vanguard does not support the $10 HyperFIDO U2F.

Rather than using the proprietary Symantec VIP system, it would be nice if Vanguard supported the free, simple RFC 6238 "time-based one-time password" system as implemented in Google Authenticator and many other desktop and mobile apps. This mechanism is used by Google, Microsoft, Amazon, Dropbox, Wordpress, Github, Facebook, Rackspace, and many many others.

BTW, I'm a senior :-/
Last edited by jds13 on Mon Jan 02, 2017 12:24 pm, edited 1 time in total.
evestor
Posts: 184
Joined: Sat Feb 21, 2015 4:37 pm

Re: Vanguard's new security key option

Post by evestor »

jds13 wrote:Rather than using the proprietary Symantec VIP system, it would be nice if Vanguard supported the free, simple RFC 6238 "time-based one-time password" system as implemented in Google Authenticator and many other desktop and mobile apps. This mechanism is used by Google, Microsoft, Amazon, Dropbox, Wordpress, Github, Facebook, Rackspace, and many many others.
I'm glad you like it. I helped to build that. :)

FWIW I agree with you. Leaning on existing mechanisms for this stuff is best.
Avoiding SMS is hard. Everyone needs a lost OTP device story, and the best we have in the industry right now is SMS + what you know, at least at scale. Forcing the person on to the phone makes it a step harder still, at least making it hard to attack users at scale (one off still on the docket).

This stuff is super hard. We're trying to bootstrap trust in to a world where none existed to start, and on top of this users do not want ANY level of inconvenience.
stan1
Posts: 14235
Joined: Mon Oct 08, 2007 4:35 pm

Re: Vanguard's new security key option

Post by stan1 »

When you register for this service, your key will become your primary method of identifying yourself (along with your user name and password) when you log on to vanguard.com from a computer. It will replace security codes, a service that sends you a one-time code to enter when you log on. You'll need to register for both security codes and security keys, however. That's because keys and codes go hand in hand—if you lose your key or don't have it, we'll need to send you a code in order for you to log on. In addition, you'll always need a code to access your accounts from a mobile device.
Unless I'm misunderstanding the above statement from Vanguard's website, If you call them and say you've lost your key or don't have it they will send you a text message for access which means it is no more secure than an SMS code. Anyone read this differently?
Warning: I am about 80% satisficer (accepting of good enough) and 20% maximizer
jds13
Posts: 9
Joined: Mon Mar 03, 2014 1:50 pm

Re: Vanguard's new security key option

Post by jds13 »

This stuff is super hard. We're trying to bootstrap trust in to a world where none existed to start, and on top of this users do not want ANY level of inconvenience.
Right! Thanks for pointing that out! Any two-factor authentication is a huge improvement, and FIDO U2F is the gold standard. Kudos and thanks to Vanguard for being a leader in pushing security to a whole better level for those who are willing to take advantage.

Vanguard surely has millions of customers with passwords like "123456" and "passw0rd", who use unsecured public networks, who go through password recovery every time they log into their accounts. The paranoid worry about FIDO hacking and second-factor integrity, but the real problem is the 98% of customers who are totally unaware.
FlyingMoose
Posts: 630
Joined: Wed Mar 04, 2009 9:48 pm

Re: Vanguard's new security key option

Post by FlyingMoose »

stan1 wrote:
When you register for this service, your key will become your primary method of identifying yourself (along with your user name and password) when you log on to vanguard.com from a computer. It will replace security codes, a service that sends you a one-time code to enter when you log on. You'll need to register for both security codes and security keys, however. That's because keys and codes go hand in hand—if you lose your key or don't have it, we'll need to send you a code in order for you to log on. In addition, you'll always need a code to access your accounts from a mobile device.
Unless I'm misunderstanding the above statement from Vanguard's website, If you call them and say you've lost your key or don't have it they will send you a text message for access which means it is no more secure than an SMS code. Anyone read this differently?
You would use SMS to log in the same as if you didn't have a Yubikey. You can't disable the SMS option. So you're correct, it's no more secure, since both options are available to an attacker.
grok87
Posts: 10512
Joined: Tue Feb 27, 2007 8:00 pm

Re: Vanguard's new security key option

Post by grok87 »

nyclon wrote:
grok87 wrote:Pretty cool.

Does anybody else do this like fidelity?
I've been using this with Etrade for years. Incredible peace of mind.
thanks
RIP Mr. Bogle.
User avatar
bertilak
Posts: 10711
Joined: Tue Aug 02, 2011 5:23 pm
Location: East of the Pecos, West of the Mississippi

Re: Vanguard's new security key option

Post by bertilak »

This looked interesting so I looked at Vanguard's website and it says my browser is not supported. I use one of the most popular browsers: Firefox!
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet
User avatar
munemaker
Posts: 4338
Joined: Sat Jan 18, 2014 5:14 pm

Re: Vanguard's new security key option

Post by munemaker »

boater07 wrote:Vanguard confirmed husband/wife cannot even share passwords even with agent authorization in place.
There must be some mistake. We do it all the time.
evestor
Posts: 184
Joined: Sat Feb 21, 2015 4:37 pm

Re: Vanguard's new security key option

Post by evestor »

jds13 wrote:Right! Thanks for pointing that out! Any two-factor authentication is a huge improvement, and FIDO U2F is the gold standard. Kudos and thanks to Vanguard for being a leader in pushing security to a whole better level for those who are willing to take advantage.

Vanguard surely has millions of customers with passwords like "123456" and "passw0rd", who use unsecured public networks, who go through password recovery every time they log into their accounts. The paranoid worry about FIDO hacking and second-factor integrity, but the real problem is the 98% of customers who are totally unaware.
If they do, shame on them. Modern authentication systems prevent this even if they don't have good TFA schemes.
But your point is the same and it is valid. Most of these services are horrifically insecure.

Having been in this business, it is one thing to offer more secure options but quite another to get everyone using them. The latter is HARD. But if you want to protect millions of people, it's the only choice. Otherwise you are only able to say to the person who got hacked "geez, if you had only asked a nerd what to do, what you would have done is..."
TIAX
Posts: 1433
Joined: Sat Jan 11, 2014 11:19 am

Re: Vanguard's new security key option

Post by TIAX »

random_walker_77 wrote:I'm also really glad to see this. I think they should offer to give one of these hw keys to every one of their voyager and flagship customers -- it'd be a really nice marketing gesture and offer real value.

I'm a little torn on phone-based apps. What if your phone is stolen? On the other hand, it avoids sms interception and is probably "good enough." Still, something like this is nice for piece of mind when you have > voyager level assets at Vanguard.
Agree, it would be a nice gesture and I doubt too many users would ask for it so it wouldn't cost Vanguard very much.
Afty
Posts: 2387
Joined: Sun Sep 07, 2014 5:31 pm

Re: Vanguard's new security key option

Post by Afty »

FWIW, Google recently published a paper on their switch from OTPs to U2F (security keys) for all employees. The switch was a huge success, reducing account compromises while improving usability. (I acknowledge that Google employees are a very different user population than Vanguard customers.)

http://fc16.ifca.ai/preproceedings/25_Lang.pdf
Topic Author
pragmatist
Posts: 31
Joined: Sat Sep 10, 2016 8:46 pm

Re: Vanguard's new security key option

Post by pragmatist »

It's a bummer about the need to preserve the sms option. I think they clearly are trying to avoid higher call volume by making sms authentication always available for login. The key option is nice anyway. The key can be configured to add a long (15+ char) static password that I don't know, which I combine with a shorter password that I manually type as a prefix.

Does anyone have an example of a brokerage with better security features?
User avatar
oldcomputerguy
Moderator
Posts: 17878
Joined: Sun Nov 22, 2015 5:50 am
Location: Tennessee

Re: Vanguard's new security key option

Post by oldcomputerguy »

In looking at Yubico's web site, I'm a bit confused. Their sales blurbs state that "no drivers or software" are necessary to use the FIDO U2F key; however, also according to their site:
You may experience a slight delay when registering a key for the first time, as your computer will need to install the driver software.
That bit about "install the driver software" would seem to imply a requirement for Microsoft Windows, and I absolutely refuse to do any online financial work using Windows.
There is only one success - to be able to spend your life in your own way. (Christopher Morley)
User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Vanguard's new security key option

Post by Epsilon Delta »

FlyingMoose wrote:
Afty wrote: 2) SMS and other numeric one-time pass codes are vulnerable to replay attacks. An attacker could spoof the Vanguard home page, collect your username, password, and one-time pass code, and then log in as you.

A Yubikey is not vulnerable to replay. The server sends a unique challenge and the Yubikey encrypts it. In the phishing scenario, if the attacker tried to log in with your credentials, the challenge would be different and the token would be invalid.
Also I don't understand how this protects you from (2), they could still be a man-in-the-middle even if you're using a token like this. It seems more like just a convenience because it's quicker than entering a code from a text message.
Roughly: part of the handshaking is that the ubikey encrypts the certificate your browser is using to identify Vanguard and sends it to Vanguard. Vanguard can then check that it is the correct certificate.

A man-in-the-middle cannot communicate with you using Vanguards certificate since only Vanguard has Vanguard's private key. A man-in-the-middle cannot sign Vanguard certificate with your private key since only the ubikey knows your private key.
User avatar
Flymore
Posts: 345
Joined: Tue May 31, 2016 1:31 pm

Re: Vanguard's new security key option

Post by Flymore »

blevine wrote:
moshe wrote:It would be nice if they also supported, as fidelity does, the Symantec VIP app that runs on my phone. One less thing to lose.

~Moshe
Etrade was using Symantec VIP in the past. I found that convenient when they moved from hardware (RSA) to software solution.
I have used RSA software too, works similarly to Symantec.

Personally I feel we are moving to a single device world and I simply don't want to carry multiple devices.
Symantec of RSA software solutions are both options I would use, but not getting any more hardware tokens.
Too inconvenient. Security is a tradeoff with convenience and I feel 2FA of almost any kind is adding security,
but if the solution makes it very difficult for me to access my account (such as not bringing the fob with me)
not going to use it long.
Updated my Etrade account to use Symantec VIP when I saw it mentioned on this board.
Downloaded the free app to my phone, works great. Just suffix the number generated to my password.
Would be nice to have this for Vanguard too.
User avatar
Flymore
Posts: 345
Joined: Tue May 31, 2016 1:31 pm

Re: Vanguard's new security key option

Post by Flymore »

smartinwate wrote:In looking at Yubico's web site, I'm a bit confused. Their sales blurbs state that "no drivers or software" are necessary to use the FIDO U2F key; however, also according to their site:
You may experience a slight delay when registering a key for the first time, as your computer will need to install the driver software.
That bit about "install the driver software" would seem to imply a requirement for Microsoft Windows, and I absolutely refuse to do any online financial work using Windows.

I second that!!!!!!!
User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Vanguard's new security key option

Post by Epsilon Delta »

random_walker_77 wrote:I'm also really glad to see this. I think they should offer to give one of these hw keys to every one of their voyager and flagship customers -- it'd be a really nice marketing gesture and offer real value.

I'm a little torn on phone-based apps. What if your phone is stolen? On the other hand, it avoids sms interception and is probably "good enough." Still, something like this is nice for piece of mind when you have > voyager level assets at Vanguard.
I am not at all torn on phone-based apps. Phone is not secure. More exactly the security of the phone is designed to prevent the theft of phone calls. My Vanguard account is several orders of magnitude more valuable and needs more protection. Pushing phone security guarantees you will have to do it all over again, and again and again.
Numbers
Posts: 1
Joined: Mon Jan 02, 2017 8:44 pm

Re: Vanguard's new security key option

Post by Numbers »

smartinwate wrote:In looking at Yubico's web site, I'm a bit confused. Their sales blurbs state that "no drivers or software" are necessary to use the FIDO U2F key; however, also according to their site:
You may experience a slight delay when registering a key for the first time, as your computer will need to install the driver software.
That bit about "install the driver software" would seem to imply a requirement for Microsoft Windows, and I absolutely refuse to do any online financial work using Windows.
While I haven't set it up with Vanguard yet, I regularly use a Yubikey NEO on Linux with no problems for U2F with Google and other things. The Debian package archives even have a TOTP client and other programs to manage the extra non-U2F features of the NEO.

Just be aware that as bertilak mentioned upthread, Firefox doesn't work, you need to use Chrome. (Short reason why when I last looked was there needed to be some larger internal changes inside Firefox to accommodate talking to a USB device and there wasn't the volunteer power with the knowledge to push through such a change)
esev
Posts: 15
Joined: Fri Apr 03, 2015 12:53 am

Re: Vanguard's new security key option

Post by esev »

Don't know how I missed this. Thanks for the heads-up. Just enabled it for my account.
smartinwate wrote:That bit about "install the driver software" would seem to imply a requirement for Microsoft Windows, and I absolutely refuse to do any online financial work using Windows.
The Yubikey devices work on Windows, Mac, and Linux. There is a USB + NFC compatible version that also works on Android. Yubico makes a couple of different Yubikeys. You'll want to look for the ones that support the U2F standard (which I believe all the current generation of Yubikeys do).

The main advantage I see to these U2F security keys is that they can't be fooled by phishing sites. Many people forget to double-check the URL/location bar in the browser before entering their second factor SMS or 5-6 digit time-based one-time passwords. They'll get an email saying something has changed with their account and blindly click the link and sign-in. Phishing sites take advantage of this fact and intercept the code when you enter it on the wrong/malicious website. The security key and browser work together to make intercepting the second factor authentication impossible.
evestor
Posts: 184
Joined: Sat Feb 21, 2015 4:37 pm

Re: Vanguard's new security key option

Post by evestor »

Afty wrote:FWIW, Google recently published a paper on their switch from OTPs to U2F (security keys) for all employees. The switch was a huge success, reducing account compromises while improving usability. (I acknowledge that Google employees are a very different user population than Vanguard customers.)

http://fc16.ifca.ai/preproceedings/25_Lang.pdf
Controlled population with an IT dept that can directly support them, and everyone is a known quantity with verified ID. Totally different math.
I worked for an organization that gave out smart cards to every employee & issued machine certs to every device, then used all of it together to bootstrap a strong IPSec policy that controlled access on a resource by resource basis in the early 2002s. It's amazing what you can do with a controlled population.
inception
Posts: 32
Joined: Thu Dec 01, 2016 3:32 am

Re: Vanguard's new security key option

Post by inception »

Flymore wrote:
blevine wrote:
moshe wrote:It would be nice if they also supported, as fidelity does, the Symantec VIP app that runs on my phone. One less thing to lose.

~Moshe
Etrade was using Symantec VIP in the past. I found that convenient when they moved from hardware (RSA) to software solution.
I have used RSA software too, works similarly to Symantec.

Personally I feel we are moving to a single device world and I simply don't want to carry multiple devices.
Symantec of RSA software solutions are both options I would use, but not getting any more hardware tokens.
Too inconvenient. Security is a tradeoff with convenience and I feel 2FA of almost any kind is adding security,
but if the solution makes it very difficult for me to access my account (such as not bringing the fob with me)
not going to use it long.
Updated my Etrade account to use Symantec VIP when I saw it mentioned on this board.
Downloaded the free app to my phone, works great. Just suffix the number generated to my password.
Would be nice to have this for Vanguard too.
As another data point, Fidelity also supports software token-based 2FA using Symantec VIP for logins. Additionally, SMS-based 2FA can supposedly be layered on top of that for "high risk" transactions (e.g., bank wires) once logged in.
SGM
Posts: 3341
Joined: Wed Mar 23, 2011 4:46 am

Re: Vanguard's new security key option

Post by SGM »

I just talked to a low level Vanguard employee who had never heard of a key option and when he asked someone else there about the option he said it was not available.
mt
Posts: 150
Joined: Sun Dec 26, 2010 10:25 am

Re: Vanguard's new security key option

Post by mt »

stan1 wrote:
When you register for this service, your key will become your primary method of identifying yourself (along with your user name and password) when you log on to vanguard.com from a computer. It will replace security codes, a service that sends you a one-time code to enter when you log on. You'll need to register for both security codes and security keys, however. That's because keys and codes go hand in hand—if you lose your key or don't have it, we'll need to send you a code in order for you to log on. In addition, you'll always need a code to access your accounts from a mobile device.
Unless I'm misunderstanding the above statement from Vanguard's website, If you call them and say you've lost your key or don't have it they will send you a text message for access which means it is no more secure than an SMS code. Anyone read this differently?

If I am not mistaken when you called they would ask you for your verbal password, assuming you have one. So that would seem to be more secure than just an SMS code.
grouper
Posts: 38
Joined: Thu Jun 20, 2013 8:30 pm

Re: Vanguard's new security key option

Post by grouper »

My account has voice recognition attached to it, so anyone calling Vanguard representing themselves as me would be detected immediately. I added this feature when I discovered that my identity had been compromised about a year ago. I called and asked for an account security representative and he led me through the recording of my voice pattern.

I am going to add the Key hardware and not worry about the rest. I DO NOT under any circumstances use my mobile device for transactions with Vanguard. I use my home network driven desktop only, which has a strong firewall and internet security suite. I am an old geezer and I do not take lightly the risks associated with someone drawing down my retirement funds. Vanguard requires that you use your very best efforts to safeguard your use of their site, comply with their recommendations for safe practices, check your accounts frequently, report any variances immediately and work with them closely in an effort to recover any lost funds.

Like most people, I use my mobile device for many things, but financial transactions is not one of them.
User avatar
siamond
Posts: 6003
Joined: Mon May 28, 2012 5:50 am

Re: Vanguard's new security key option

Post by siamond »

pragmatist wrote:Hey everyone,

I just noticed a new "security key" option in the account maintenance page. It appears that Vanguard now supports hardware multi-factor authentication using Yubikey, though you have to purchase them elsewhere.

Pragmatist
Missed this thread. I wasn't aware that we could do that. Thank you, I just ordered a Yubikey, this will certainly help with my peace of mind.
Locked