Vanguard's new security key option

Discuss all general (i.e. non-personal) investing questions and issues, investing news, and theory.
User avatar
siamond
Posts: 3154
Joined: Mon May 28, 2012 5:50 am

Re: Vanguard's new security key option

Post by siamond » Tue Jul 04, 2017 11:29 am

Received my Yubikey, activated Vanguard (and Dropbox and LastPass too) with it, works well.

As a side note, this is a nice 20% off deal today, too bad I missed it:
https://www.yubico.com/2-factor-tuesday/?fb2

PS. Just read that "Promo is live on the first Tuesday of every month"

sred5
Posts: 2
Joined: Thu Dec 03, 2015 9:55 pm

Re: Vanguard's new security key option

Post by sred5 » Wed Aug 09, 2017 7:04 pm

I give Vanguard tremendous applause for taking this step!

I am really surprised at the number of negative comments regarding Vanguard's implementation of Yubico FIDO/U2F security keys.

In terms of browser support, Firefox is supported, but there is currently a Firefox addon to make this work.

In terms of Windows loading drivers, that's done behind the scenes with the latter versions of Windows and it's not an issue. Your keyboard and mouse have drivers too, and those are needed to type in your login/password.

In terms of the complaints over having SMS as a backup, mt is correct in noting, "If I am not mistaken when you called they would ask you for your verbal password, assuming you have one. So that would seem to be more secure than just an SMS code." Voice-verification is another common security layer when calling Vanguard. If anyone can call Vanguard, pretend they are Joe Smith and tell Vanguard to drop the Yubico keys from Joe's login process, then there is a much bigger security hole, which is that they have assumed Joe Smith's identity and can do much more to his account.

More than anything, I think that we should really be thanking Vanguard. Vanguard leapfrogged over many other institutions with this one move in terms of security. For the future, we might ask if Vanguard could consider dropping the SMS security code as a backup if we have 3 or 4 YubiKeys registered?

For now, we should simply say, "Thank You Vanguard - this is an enormously positive step in terms of security - your tech guys deserve a lot of credit!"

jalbert
Posts: 2029
Joined: Fri Apr 10, 2015 12:29 am

Re: Vanguard's new security key option

Post by jalbert » Wed Aug 09, 2017 11:24 pm

heartwood wrote:Is there a link to an explanation of why Yubikey is preferable to the current 2-factor method of receiving a code?
Here's an actual example of someone breaking someone's 2-factor SMS via social engineering and compromising the victim's Paypal account:

https://www.theregister.co.uk/2017/07/1 ... er_tricks/

Unfortunately, Vanguard still can't seem to get the security engineering for authentication right. Because SMS is retained as a backup method, if an attacker breaks your SMS, they just go around the need to use the yubikey by requesting an SMS code, so that the addition of the yubikey as a 2nd point of attack makes the overall protocol slightly weaker than just having SMS.
Risk is not a guarantor of return.

User avatar
siamond
Posts: 3154
Joined: Mon May 28, 2012 5:50 am

Re: Vanguard's new security key option

Post by siamond » Sat Aug 12, 2017 9:16 pm

jalbert wrote:
Wed Aug 09, 2017 11:24 pm
Unfortunately, Vanguard still can't seem to get the security engineering for authentication right. Because SMS is retained as a backup method, if an attacker breaks your SMS, they just go around the need to use the yubikey by requesting an SMS code, so that the addition of the yubikey as a 2nd point of attack makes the overall protocol slightly weaker than just having SMS.
This seems a little harsh. Have you considered that Vanguard may have decided to keep the SMS backup method for a little while, until a good number of their customers got used to the Yubikey process and until corresponding kinks have been sorted out? And then and only then will switch to a more secure way of proceeding, with no backdoor (as you rightfully mention)? If I were a pragmatic Vanguard Product Manager, I would certainly have considered such one-step-at-a-time approach.

Personally, I applaud Vanguard for making a great step towards more security. I certainly hope they will go one step further, but that is definite progress.

jalbert
Posts: 2029
Joined: Fri Apr 10, 2015 12:29 am

Re: Vanguard's new security key option

Post by jalbert » Sun Aug 13, 2017 2:03 pm

This seems a little harsh. Have you considered that Vanguard may have decided to keep the SMS backup method for a little while, until a good number of their customers got used to the Yubikey process and until corresponding kinks have been sorted out?
It should not be made available to all customers before kinks have been sorted out. Otherwise, that would just be throwing another flawed process into the mix.
Risk is not a guarantor of return.

Post Reply