Vanguard's new security key option

Discuss all general (i.e. non-personal) investing questions and issues, investing news, and theory.
pragmatist
Posts: 10
Joined: Sat Sep 10, 2016 8:46 pm

Vanguard's new security key option

Post by pragmatist » Fri Dec 09, 2016 4:25 pm

Hey everyone,

I just noticed a new "security key" option in the account maintenance page. It appears that Vanguard now supports hardware multi-factor authentication using Yubikey, though you have to purchase them elsewhere.

Pragmatist

lostdog
Posts: 624
Joined: Thu Feb 04, 2016 2:15 pm

Re: Vanguard's new security key option

Post by lostdog » Fri Dec 09, 2016 11:26 pm

This is wonderful. I use a yubikey for my Google account.
"Our life is frittered away by detail. Simplify, simplify." -Thoreau

pragmatist
Posts: 10
Joined: Sat Sep 10, 2016 8:46 pm

Re: Vanguard's new security key option

Post by pragmatist » Sat Dec 10, 2016 12:26 am

The newer ones can be quite expensive, but they can be used for multiple websites. It seems the improvement from SMS to hardware may be worth it, though Vanguard makes you retain SMS as a backup, at least for now.

Pragmatist

Mav
Posts: 42
Joined: Tue Jan 05, 2016 10:55 pm

Re: Vanguard's new security key option

Post by Mav » Sat Dec 10, 2016 2:50 am

There are multiple articles in the news how relatively easy is to hack/change sim cards and, thus, re-route where sms is going. People call the provider and pretend that they lost/damaged their phone and ask the provider to activate a new sim card. With yubikey, it's virtually impossible.

lostdog
Posts: 624
Joined: Thu Feb 04, 2016 2:15 pm

Re: Vanguard's new security key option

Post by lostdog » Sat Dec 10, 2016 9:24 am

I just enabled my key. Flawless setup.

I wonder if this can retract some investors from tinkering with their account.
"Our life is frittered away by detail. Simplify, simplify." -Thoreau

grok87
Posts: 7569
Joined: Tue Feb 27, 2007 9:00 pm

Re: Vanguard's new security key option

Post by grok87 » Sat Dec 10, 2016 9:43 am

Pretty cool.

Does anybody else do this like fidelity?
"...people always live for ever when there is any annuity to be paid them"- Jane Austen

User avatar
dbc47
Posts: 339
Joined: Thu Mar 01, 2007 11:02 am

Re: Vanguard's new security key option

Post by dbc47 » Sat Dec 10, 2016 10:10 am

Any recommendations on which model Yubikey to get? There are 4 models or so that seem to work but I can't figure out the difference and pricing varies between models too. I've just checked Amazon so far as a starting point.

Dan
:happy

lostdog
Posts: 624
Joined: Thu Feb 04, 2016 2:15 pm

Re: Vanguard's new security key option

Post by lostdog » Sat Dec 10, 2016 10:25 am

"Our life is frittered away by detail. Simplify, simplify." -Thoreau

User avatar
heartwood
Posts: 1067
Joined: Sat Nov 23, 2013 1:40 pm

Re: Vanguard's new security key option

Post by heartwood » Sat Dec 10, 2016 10:32 am

Is there a link to an explanation of why Yubikey is preferable to the current 2-factor method of receiving a code?

jebmke
Posts: 6850
Joined: Thu Apr 05, 2007 2:44 pm

Re: Vanguard's new security key option

Post by jebmke » Sat Dec 10, 2016 10:34 am

heartwood wrote:Is there a link to an explanation of why Yubikey is preferable to the current 2-factor method of receiving a code?

I can think of two reasons. One, if your phone is hacked, the text could be intercepted. Two, if your phone is stolen and someone uses it to access your account, they have the destination end of the second factor.
When you discover that you are riding a dead horse, the best strategy is to dismount.

Afty
Posts: 523
Joined: Sun Sep 07, 2014 5:31 pm

Re: Vanguard's new security key option

Post by Afty » Sat Dec 10, 2016 10:37 am

heartwood wrote:Is there a link to an explanation of why Yubikey is preferable to the current 2-factor method of receiving a code?

There are a few reasons:

1) It's easy to pretend to be someone else and convince the telephone company to send your SMSes somewhere else. See https://www.wired.com/2016/06/hey-stop- ... ntication/

2) SMS and other numeric one-time pass codes are vulnerable to replay attacks. An attacker could spoof the Vanguard home page, collect your username, password, and one-time pass code, and then log in as you.

A Yubikey is not vulnerable to replay. The server sends a unique challenge and the Yubikey encrypts it. In the phishing scenario, if the attacker tried to log in with your credentials, the challenge would be different and the token would be invalid.

FlyingMoose
Posts: 300
Joined: Wed Mar 04, 2009 10:48 pm

Re: Vanguard's new security key option

Post by FlyingMoose » Sat Dec 10, 2016 10:49 am

Afty wrote:
heartwood wrote:Is there a link to an explanation of why Yubikey is preferable to the current 2-factor method of receiving a code?

There are a few reasons:

1) It's easy to pretend to be someone else and convince the telephone company to send your SMSes somewhere else. See https://www.wired.com/2016/06/hey-stop- ... ntication/

2) SMS and other numeric one-time pass codes are vulnerable to replay attacks. An attacker could spoof the Vanguard home page, collect your username, password, and one-time pass code, and then log in as you.

A Yubikey is not vulnerable to replay. The server sends a unique challenge and the Yubikey encrypts it. In the phishing scenario, if the attacker tried to log in with your credentials, the challenge would be different and the token would be invalid.


That's all well and good, but since Vanguard still requires you to leave the SMS option enabled, this doesn't protect you from (1) above. Also I don't understand how this protects you from (2), they could still be a man-in-the-middle even if you're using a token like this. It seems more like just a convenience because it's quicker than entering a code from a text message.

moshe
Posts: 417
Joined: Thu Dec 12, 2013 1:18 pm
Location: Boston, MA

Re: Vanguard's new security key option

Post by moshe » Sat Dec 10, 2016 11:28 am

It would be nice if they also supported, as fidelity does, the Symantec VIP app that runs on my phone. One less thing to lose.

~Moshe
My money has no emotions. ~Moshe | | I'm the world's greatest expert on my own opinion. ~Bruce Williams

User avatar
bobcat2
Posts: 4939
Joined: Tue Feb 20, 2007 3:27 pm
Location: just barely Outside the Beltway

Re: Vanguard's new security key option

Post by bobcat2 » Sat Dec 10, 2016 11:36 am

I use a Yubikey for LastPass and some other applications. When I tried to use the Yubikey option at Vanguard it failed to initiate. Also my Yubikey failed to work on LastPass until I rebooted.

What can I say? More excellent work from Vanguard. :annoyed

BobK
In finance risk is defined as uncertainty that is consequential (nontrivial). | The two main methods of dealing with financial risk are the matching of assets to goals & diversifying.

Mav
Posts: 42
Joined: Tue Jan 05, 2016 10:55 pm

Re: Vanguard's new security key option

Post by Mav » Sat Dec 10, 2016 11:45 am

I'm interested in learning the difference among the versions of yubikey, what people are actually using. I noted Amazon sells other "keys" as well, like FIDO. It seems yubikey has more "history," more proven.

Also, I googled yubikey alternatives:

https://news.ycombinator.com/item?id=11690774
https://www.reddit.com/r/linux/comments ... omponents/
https://news.ycombinator.com/item?id=10888186

Afty
Posts: 523
Joined: Sun Sep 07, 2014 5:31 pm

Re: Vanguard's new security key option

Post by Afty » Sat Dec 10, 2016 12:11 pm

FlyingMoose wrote:
Afty wrote:
heartwood wrote:Is there a link to an explanation of why Yubikey is preferable to the current 2-factor method of receiving a code?

There are a few reasons:

1) It's easy to pretend to be someone else and convince the telephone company to send your SMSes somewhere else. See https://www.wired.com/2016/06/hey-stop- ... ntication/

2) SMS and other numeric one-time pass codes are vulnerable to replay attacks. An attacker could spoof the Vanguard home page, collect your username, password, and one-time pass code, and then log in as you.

A Yubikey is not vulnerable to replay. The server sends a unique challenge and the Yubikey encrypts it. In the phishing scenario, if the attacker tried to log in with your credentials, the challenge would be different and the token would be invalid.


That's all well and good, but since Vanguard still requires you to leave the SMS option enabled, this doesn't protect you from (1) above. Also I don't understand how this protects you from (2), they could still be a man-in-the-middle even if you're using a token like this. It seems more like just a convenience because it's quicker than entering a code from a text message.

Well, that's not good if Vanguard is requiring SMS 2-factor.

#2 is about replay attacks, not man in the middle. Man in the middle is prevented by HTTPS. Replay is when the attacker gains access to your authentication tokens and can just reuse them to authenticate on an entirely different system and/or session.

vanguardinvestor915
Posts: 1
Joined: Sun Jan 01, 2017 12:19 pm

Re: Vanguard's new security key option

Post by vanguardinvestor915 » Sun Jan 01, 2017 12:28 pm

I found a comparison of the different YubiKeys here: https://www.yubico.com/products/yubikey-hardware/

YUBIKEY NEO is a little older, but offers NFC for use with logging into sites with your smartphone.

YUBIKEY 4 is a newer model, offers stronger and faster encryption, but lacks NFC, if you need that.

The FIDO U2F SECURITY KEY offers only one type of authentication: Fido U2F. The other keys offer several other types in addition to Fido U2F and may be used for other sites and services besides Vanguard, such as LastPass.

blevine
Posts: 1692
Joined: Sat Feb 27, 2010 3:57 pm
Location: Paradise

Re: Vanguard's new security key option

Post by blevine » Sun Jan 01, 2017 10:06 pm

moshe wrote:It would be nice if they also supported, as fidelity does, the Symantec VIP app that runs on my phone. One less thing to lose.

~Moshe


Etrade was using Symantec VIP in the past. I found that convenient when they moved from hardware (RSA) to software solution.
I have used RSA software too, works similarly to Symantec.

Personally I feel we are moving to a single device world and I simply don't want to carry multiple devices.
Symantec of RSA software solutions are both options I would use, but not getting any more hardware tokens.
Too inconvenient. Security is a tradeoff with convenience and I feel 2FA of almost any kind is adding security,
but if the solution makes it very difficult for me to access my account (such as not bringing the fob with me)
not going to use it long.

evestor
Posts: 66
Joined: Sat Feb 21, 2015 5:37 pm

Re: Vanguard's new security key option

Post by evestor » Sun Jan 01, 2017 11:16 pm

Love that Vanguard is investing here but oh my do I wish they made another choice.
I will use this because I'm in the software security business so I do anything I can to protect my stuff. But this is a sure fire way to fail.
Best case this is used by a small # of people, ie we only helped a small # of people.
Worst case this is used by a small # of people and then deprecated by Vanguard because there was not much adoption.

They need to have a mass market play too, a la one of the GOOG authenticator app or whatever they choose. Something that runs off of my phone. Supporting this for the propeller heads like me is fine, but it can't be what we ask most users to use. And we need to protect most users.

Alternatively, this all changes if we see a great option appear that enables this form factor in a software token on the phone...

random_walker_77
Posts: 454
Joined: Tue May 21, 2013 8:49 pm

Re: Vanguard's new security key option

Post by random_walker_77 » Mon Jan 02, 2017 10:51 am

I'm also really glad to see this. I think they should offer to give one of these hw keys to every one of their voyager and flagship customers -- it'd be a really nice marketing gesture and offer real value.

I'm a little torn on phone-based apps. What if your phone is stolen? On the other hand, it avoids sms interception and is probably "good enough." Still, something like this is nice for piece of mind when you have > voyager level assets at Vanguard.

User avatar
xystici
Posts: 305
Joined: Thu Nov 19, 2009 4:40 pm
Location: Boston & Barcelona

Re: Vanguard's new security key option

Post by xystici » Mon Jan 02, 2017 11:12 am

what happens if you lose your key?
Trust yourself, Break the rules, Don't be afraid to fail, Don't listen to naysayers, Work your butt off. "It is in your moments of decision that your destiny is shaped. Choose now and well"

evestor
Posts: 66
Joined: Sat Feb 21, 2015 5:37 pm

Re: Vanguard's new security key option

Post by evestor » Mon Jan 02, 2017 11:13 am

random_walker_77 wrote:I'm also really glad to see this. I think they should offer to give one of these hw keys to every one of their voyager and flagship customers -- it'd be a really nice marketing gesture and offer real value.

I'm a little torn on phone-based apps. What if your phone is stolen? On the other hand, it avoids sms interception and is probably "good enough." Still, something like this is nice for piece of mind when you have > voyager level assets at Vanguard.


SMS + what you know is probably how to do over the web reset, if you choose to support that at all. If I were Vanguard I would do SMS + what you know + force them on to the phone with a human for reset.

As for the key/phone based form factor...this isn't perfection, it's the best option. :) Are we better off with hw keys used by ~10K people or a phone based authenticator in use by ~millions? I would submit this is a non-choice. We want to protect as many people as we can.
Losing your phone can be mitigated, ex: forcing phone pin or app pin or still requiring something you know at login to go with the phone pin (as Fidelity does) or...the list goes on.

mpsz
Posts: 166
Joined: Sat Jan 09, 2016 7:11 pm

Re: Vanguard's new security key option

Post by mpsz » Mon Jan 02, 2017 11:47 am

I'm really disappointed that you have to leave SMS on. This doesn't increase security at all.

nyclon
Posts: 174
Joined: Fri Oct 02, 2015 5:30 pm

Re: Vanguard's new security key option

Post by nyclon » Mon Jan 02, 2017 11:52 am

grok87 wrote:Pretty cool.

Does anybody else do this like fidelity?


I've been using this with Etrade for years. Incredible peace of mind.

boater07
Posts: 451
Joined: Sun Apr 15, 2007 7:44 pm
Location: Northwest

Re: Vanguard's new security key option

Post by boater07 » Mon Jan 02, 2017 1:14 pm

Is there any hope for computer challenged??
This really hit home when the sharing of passwords came up in another post. Vanguard confirmed husband/wife
cannot even share passwords even with agent authorization in place. That has allowed me to handle her affairs
like RMDs etc. However, wife is unable to do the same since she has log in issues.
Some of the comments above like using aggregators seem to me would also violate sharing passwords.

Is V driving Seniors away? I'll be voicing my concern to them this week.

jds13
Posts: 6
Joined: Mon Mar 03, 2014 2:50 pm

Re: Vanguard's new security key option

Post by jds13 » Mon Jan 02, 2017 1:19 pm

In addition to the hacking problems, it's usually possible to read incoming SMS messages without unlocking a phone. That's why NIST has recommended that SMS not be used in two-factor authentication. [NIST Special Publication 800-63B]

If you want to use a Yubikey to secure your Vanguard (and Google) accounts, there's no reason to get anything other than the $18 "FIDO U2F SECURITY KEY." The added features of the other devices are not used. Get two and keep one in a safe place in case you lose your primary key. You can register several keys on your Vanguard account. The same key can be used on multiple accounts, so you and your spouse can act as each other's backup.

Currently Vanguard does not support the $10 HyperFIDO U2F.

Rather than using the proprietary Symantec VIP system, it would be nice if Vanguard supported the free, simple RFC 6238 "time-based one-time password" system as implemented in Google Authenticator and many other desktop and mobile apps. This mechanism is used by Google, Microsoft, Amazon, Dropbox, Wordpress, Github, Facebook, Rackspace, and many many others.

BTW, I'm a senior :-/
Last edited by jds13 on Mon Jan 02, 2017 1:24 pm, edited 1 time in total.

evestor
Posts: 66
Joined: Sat Feb 21, 2015 5:37 pm

Re: Vanguard's new security key option

Post by evestor » Mon Jan 02, 2017 1:22 pm

jds13 wrote:Rather than using the proprietary Symantec VIP system, it would be nice if Vanguard supported the free, simple RFC 6238 "time-based one-time password" system as implemented in Google Authenticator and many other desktop and mobile apps. This mechanism is used by Google, Microsoft, Amazon, Dropbox, Wordpress, Github, Facebook, Rackspace, and many many others.


I'm glad you like it. I helped to build that. :)

FWIW I agree with you. Leaning on existing mechanisms for this stuff is best.
Avoiding SMS is hard. Everyone needs a lost OTP device story, and the best we have in the industry right now is SMS + what you know, at least at scale. Forcing the person on to the phone makes it a step harder still, at least making it hard to attack users at scale (one off still on the docket).

This stuff is super hard. We're trying to bootstrap trust in to a world where none existed to start, and on top of this users do not want ANY level of inconvenience.

stan1
Posts: 4953
Joined: Mon Oct 08, 2007 4:35 pm

Re: Vanguard's new security key option

Post by stan1 » Mon Jan 02, 2017 1:30 pm

When you register for this service, your key will become your primary method of identifying yourself (along with your user name and password) when you log on to vanguard.com from a computer. It will replace security codes, a service that sends you a one-time code to enter when you log on. You'll need to register for both security codes and security keys, however. That's because keys and codes go hand in hand—if you lose your key or don't have it, we'll need to send you a code in order for you to log on. In addition, you'll always need a code to access your accounts from a mobile device.


Unless I'm misunderstanding the above statement from Vanguard's website, If you call them and say you've lost your key or don't have it they will send you a text message for access which means it is no more secure than an SMS code. Anyone read this differently?

jds13
Posts: 6
Joined: Mon Mar 03, 2014 2:50 pm

Re: Vanguard's new security key option

Post by jds13 » Mon Jan 02, 2017 1:35 pm

This stuff is super hard. We're trying to bootstrap trust in to a world where none existed to start, and on top of this users do not want ANY level of inconvenience.


Right! Thanks for pointing that out! Any two-factor authentication is a huge improvement, and FIDO U2F is the gold standard. Kudos and thanks to Vanguard for being a leader in pushing security to a whole better level for those who are willing to take advantage.

Vanguard surely has millions of customers with passwords like "123456" and "passw0rd", who use unsecured public networks, who go through password recovery every time they log into their accounts. The paranoid worry about FIDO hacking and second-factor integrity, but the real problem is the 98% of customers who are totally unaware.

FlyingMoose
Posts: 300
Joined: Wed Mar 04, 2009 10:48 pm

Re: Vanguard's new security key option

Post by FlyingMoose » Mon Jan 02, 2017 1:55 pm

stan1 wrote:
When you register for this service, your key will become your primary method of identifying yourself (along with your user name and password) when you log on to vanguard.com from a computer. It will replace security codes, a service that sends you a one-time code to enter when you log on. You'll need to register for both security codes and security keys, however. That's because keys and codes go hand in hand—if you lose your key or don't have it, we'll need to send you a code in order for you to log on. In addition, you'll always need a code to access your accounts from a mobile device.


Unless I'm misunderstanding the above statement from Vanguard's website, If you call them and say you've lost your key or don't have it they will send you a text message for access which means it is no more secure than an SMS code. Anyone read this differently?


You would use SMS to log in the same as if you didn't have a Yubikey. You can't disable the SMS option. So you're correct, it's no more secure, since both options are available to an attacker.

grok87
Posts: 7569
Joined: Tue Feb 27, 2007 9:00 pm

Re: Vanguard's new security key option

Post by grok87 » Mon Jan 02, 2017 2:22 pm

nyclon wrote:
grok87 wrote:Pretty cool.

Does anybody else do this like fidelity?


I've been using this with Etrade for years. Incredible peace of mind.

thanks
"...people always live for ever when there is any annuity to be paid them"- Jane Austen

User avatar
bertilak
Posts: 5663
Joined: Tue Aug 02, 2011 5:23 pm
Location: East of the Pecos, West of the Mississippi

Re: Vanguard's new security key option

Post by bertilak » Mon Jan 02, 2017 4:00 pm

This looked interesting so I looked at Vanguard's website and it says my browser is not supported. I use one of the most popular browsers: Firefox!
Listen very carefully. I shall say this only once. (There! I've said it.)

munemaker
Posts: 2101
Joined: Sat Jan 18, 2014 6:14 pm

Re: Vanguard's new security key option

Post by munemaker » Mon Jan 02, 2017 6:52 pm

boater07 wrote:Vanguard confirmed husband/wife cannot even share passwords even with agent authorization in place.


There must be some mistake. We do it all the time.

evestor
Posts: 66
Joined: Sat Feb 21, 2015 5:37 pm

Re: Vanguard's new security key option

Post by evestor » Mon Jan 02, 2017 7:04 pm

jds13 wrote:Right! Thanks for pointing that out! Any two-factor authentication is a huge improvement, and FIDO U2F is the gold standard. Kudos and thanks to Vanguard for being a leader in pushing security to a whole better level for those who are willing to take advantage.

Vanguard surely has millions of customers with passwords like "123456" and "passw0rd", who use unsecured public networks, who go through password recovery every time they log into their accounts. The paranoid worry about FIDO hacking and second-factor integrity, but the real problem is the 98% of customers who are totally unaware.


If they do, shame on them. Modern authentication systems prevent this even if they don't have good TFA schemes.
But your point is the same and it is valid. Most of these services are horrifically insecure.

Having been in this business, it is one thing to offer more secure options but quite another to get everyone using them. The latter is HARD. But if you want to protect millions of people, it's the only choice. Otherwise you are only able to say to the person who got hacked "geez, if you had only asked a nerd what to do, what you would have done is..."

TIAX
Posts: 851
Joined: Sat Jan 11, 2014 12:19 pm

Re: Vanguard's new security key option

Post by TIAX » Mon Jan 02, 2017 7:23 pm

random_walker_77 wrote:I'm also really glad to see this. I think they should offer to give one of these hw keys to every one of their voyager and flagship customers -- it'd be a really nice marketing gesture and offer real value.

I'm a little torn on phone-based apps. What if your phone is stolen? On the other hand, it avoids sms interception and is probably "good enough." Still, something like this is nice for piece of mind when you have > voyager level assets at Vanguard.

Agree, it would be a nice gesture and I doubt too many users would ask for it so it wouldn't cost Vanguard very much.

Afty
Posts: 523
Joined: Sun Sep 07, 2014 5:31 pm

Re: Vanguard's new security key option

Post by Afty » Mon Jan 02, 2017 7:40 pm

FWIW, Google recently published a paper on their switch from OTPs to U2F (security keys) for all employees. The switch was a huge success, reducing account compromises while improving usability. (I acknowledge that Google employees are a very different user population than Vanguard customers.)

http://fc16.ifca.ai/preproceedings/25_Lang.pdf

pragmatist
Posts: 10
Joined: Sat Sep 10, 2016 8:46 pm

Re: Vanguard's new security key option

Post by pragmatist » Mon Jan 02, 2017 7:43 pm

It's a bummer about the need to preserve the sms option. I think they clearly are trying to avoid higher call volume by making sms authentication always available for login. The key option is nice anyway. The key can be configured to add a long (15+ char) static password that I don't know, which I combine with a shorter password that I manually type as a prefix.

Does anyone have an example of a brokerage with better security features?

User avatar
oldcomputerguy
Posts: 1976
Joined: Sun Nov 22, 2015 6:50 am
Location: In the middle of five acres of woods

Re: Vanguard's new security key option

Post by oldcomputerguy » Mon Jan 02, 2017 8:16 pm

In looking at Yubico's web site, I'm a bit confused. Their sales blurbs state that "no drivers or software" are necessary to use the FIDO U2F key; however, also according to their site:
You may experience a slight delay when registering a key for the first time, as your computer will need to install the driver software.


That bit about "install the driver software" would seem to imply a requirement for Microsoft Windows, and I absolutely refuse to do any online financial work using Windows.
Anybody know why there's a 20-pound frozen turkey up in the light grid?

User avatar
Epsilon Delta
Posts: 6492
Joined: Thu Apr 28, 2011 7:00 pm

Re: Vanguard's new security key option

Post by Epsilon Delta » Mon Jan 02, 2017 8:26 pm

FlyingMoose wrote:
Afty wrote:2) SMS and other numeric one-time pass codes are vulnerable to replay attacks. An attacker could spoof the Vanguard home page, collect your username, password, and one-time pass code, and then log in as you.

A Yubikey is not vulnerable to replay. The server sends a unique challenge and the Yubikey encrypts it. In the phishing scenario, if the attacker tried to log in with your credentials, the challenge would be different and the token would be invalid.


Also I don't understand how this protects you from (2), they could still be a man-in-the-middle even if you're using a token like this. It seems more like just a convenience because it's quicker than entering a code from a text message.


Roughly: part of the handshaking is that the ubikey encrypts the certificate your browser is using to identify Vanguard and sends it to Vanguard. Vanguard can then check that it is the correct certificate.

A man-in-the-middle cannot communicate with you using Vanguards certificate since only Vanguard has Vanguard's private key. A man-in-the-middle cannot sign Vanguard certificate with your private key since only the ubikey knows your private key.

User avatar
Flymore
Posts: 121
Joined: Tue May 31, 2016 1:31 pm

Re: Vanguard's new security key option

Post by Flymore » Mon Jan 02, 2017 8:37 pm

blevine wrote:
moshe wrote:It would be nice if they also supported, as fidelity does, the Symantec VIP app that runs on my phone. One less thing to lose.

~Moshe


Etrade was using Symantec VIP in the past. I found that convenient when they moved from hardware (RSA) to software solution.
I have used RSA software too, works similarly to Symantec.

Personally I feel we are moving to a single device world and I simply don't want to carry multiple devices.
Symantec of RSA software solutions are both options I would use, but not getting any more hardware tokens.
Too inconvenient. Security is a tradeoff with convenience and I feel 2FA of almost any kind is adding security,
but if the solution makes it very difficult for me to access my account (such as not bringing the fob with me)
not going to use it long.


Updated my Etrade account to use Symantec VIP when I saw it mentioned on this board.
Downloaded the free app to my phone, works great. Just suffix the number generated to my password.
Would be nice to have this for Vanguard too.

User avatar
Flymore
Posts: 121
Joined: Tue May 31, 2016 1:31 pm

Re: Vanguard's new security key option

Post by Flymore » Mon Jan 02, 2017 8:41 pm

smartinwate wrote:In looking at Yubico's web site, I'm a bit confused. Their sales blurbs state that "no drivers or software" are necessary to use the FIDO U2F key; however, also according to their site:
You may experience a slight delay when registering a key for the first time, as your computer will need to install the driver software.


That bit about "install the driver software" would seem to imply a requirement for Microsoft Windows, and I absolutely refuse to do any online financial work using Windows.



I second that!!!!!!!

User avatar
Epsilon Delta
Posts: 6492
Joined: Thu Apr 28, 2011 7:00 pm

Re: Vanguard's new security key option

Post by Epsilon Delta » Mon Jan 02, 2017 8:45 pm

random_walker_77 wrote:I'm also really glad to see this. I think they should offer to give one of these hw keys to every one of their voyager and flagship customers -- it'd be a really nice marketing gesture and offer real value.

I'm a little torn on phone-based apps. What if your phone is stolen? On the other hand, it avoids sms interception and is probably "good enough." Still, something like this is nice for piece of mind when you have > voyager level assets at Vanguard.


I am not at all torn on phone-based apps. Phone is not secure. More exactly the security of the phone is designed to prevent the theft of phone calls. My Vanguard account is several orders of magnitude more valuable and needs more protection. Pushing phone security guarantees you will have to do it all over again, and again and again.

Numbers
Posts: 1
Joined: Mon Jan 02, 2017 9:44 pm

Re: Vanguard's new security key option

Post by Numbers » Mon Jan 02, 2017 9:51 pm

smartinwate wrote:In looking at Yubico's web site, I'm a bit confused. Their sales blurbs state that "no drivers or software" are necessary to use the FIDO U2F key; however, also according to their site:
You may experience a slight delay when registering a key for the first time, as your computer will need to install the driver software.


That bit about "install the driver software" would seem to imply a requirement for Microsoft Windows, and I absolutely refuse to do any online financial work using Windows.


While I haven't set it up with Vanguard yet, I regularly use a Yubikey NEO on Linux with no problems for U2F with Google and other things. The Debian package archives even have a TOTP client and other programs to manage the extra non-U2F features of the NEO.

Just be aware that as bertilak mentioned upthread, Firefox doesn't work, you need to use Chrome. (Short reason why when I last looked was there needed to be some larger internal changes inside Firefox to accommodate talking to a USB device and there wasn't the volunteer power with the knowledge to push through such a change)

esev
Posts: 11
Joined: Fri Apr 03, 2015 12:53 am

Re: Vanguard's new security key option

Post by esev » Mon Jan 02, 2017 9:52 pm

Don't know how I missed this. Thanks for the heads-up. Just enabled it for my account.

smartinwate wrote:That bit about "install the driver software" would seem to imply a requirement for Microsoft Windows, and I absolutely refuse to do any online financial work using Windows.


The Yubikey devices work on Windows, Mac, and Linux. There is a USB + NFC compatible version that also works on Android. Yubico makes a couple of different Yubikeys. You'll want to look for the ones that support the U2F standard (which I believe all the current generation of Yubikeys do).

The main advantage I see to these U2F security keys is that they can't be fooled by phishing sites. Many people forget to double-check the URL/location bar in the browser before entering their second factor SMS or 5-6 digit time-based one-time passwords. They'll get an email saying something has changed with their account and blindly click the link and sign-in. Phishing sites take advantage of this fact and intercept the code when you enter it on the wrong/malicious website. The security key and browser work together to make intercepting the second factor authentication impossible.

evestor
Posts: 66
Joined: Sat Feb 21, 2015 5:37 pm

Re: Vanguard's new security key option

Post by evestor » Mon Jan 02, 2017 10:04 pm

Afty wrote:FWIW, Google recently published a paper on their switch from OTPs to U2F (security keys) for all employees. The switch was a huge success, reducing account compromises while improving usability. (I acknowledge that Google employees are a very different user population than Vanguard customers.)

http://fc16.ifca.ai/preproceedings/25_Lang.pdf


Controlled population with an IT dept that can directly support them, and everyone is a known quantity with verified ID. Totally different math.
I worked for an organization that gave out smart cards to every employee & issued machine certs to every device, then used all of it together to bootstrap a strong IPSec policy that controlled access on a resource by resource basis in the early 2002s. It's amazing what you can do with a controlled population.

inception
Posts: 4
Joined: Thu Dec 01, 2016 4:32 am

Re: Vanguard's new security key option

Post by inception » Wed Jan 11, 2017 5:28 pm

Flymore wrote:
blevine wrote:
moshe wrote:It would be nice if they also supported, as fidelity does, the Symantec VIP app that runs on my phone. One less thing to lose.

~Moshe


Etrade was using Symantec VIP in the past. I found that convenient when they moved from hardware (RSA) to software solution.
I have used RSA software too, works similarly to Symantec.

Personally I feel we are moving to a single device world and I simply don't want to carry multiple devices.
Symantec of RSA software solutions are both options I would use, but not getting any more hardware tokens.
Too inconvenient. Security is a tradeoff with convenience and I feel 2FA of almost any kind is adding security,
but if the solution makes it very difficult for me to access my account (such as not bringing the fob with me)
not going to use it long.


Updated my Etrade account to use Symantec VIP when I saw it mentioned on this board.
Downloaded the free app to my phone, works great. Just suffix the number generated to my password.
Would be nice to have this for Vanguard too.


As another data point, Fidelity also supports software token-based 2FA using Symantec VIP for logins. Additionally, SMS-based 2FA can supposedly be layered on top of that for "high risk" transactions (e.g., bank wires) once logged in.

SGM
Posts: 2387
Joined: Wed Mar 23, 2011 4:46 am

Re: Vanguard's new security key option

Post by SGM » Thu Jan 12, 2017 4:40 pm

I just talked to a low level Vanguard employee who had never heard of a key option and when he asked someone else there about the option he said it was not available.

mt
Posts: 137
Joined: Sun Dec 26, 2010 11:25 am

Re: Vanguard's new security key option

Post by mt » Thu Jan 12, 2017 6:42 pm

stan1 wrote:
When you register for this service, your key will become your primary method of identifying yourself (along with your user name and password) when you log on to vanguard.com from a computer. It will replace security codes, a service that sends you a one-time code to enter when you log on. You'll need to register for both security codes and security keys, however. That's because keys and codes go hand in hand—if you lose your key or don't have it, we'll need to send you a code in order for you to log on. In addition, you'll always need a code to access your accounts from a mobile device.


Unless I'm misunderstanding the above statement from Vanguard's website, If you call them and say you've lost your key or don't have it they will send you a text message for access which means it is no more secure than an SMS code. Anyone read this differently?



If I am not mistaken when you called they would ask you for your verbal password, assuming you have one. So that would seem to be more secure than just an SMS code.

grouper
Posts: 26
Joined: Thu Jun 20, 2013 8:30 pm

Re: Vanguard's new security key option

Post by grouper » Thu Jan 12, 2017 10:04 pm

My account has voice recognition attached to it, so anyone calling Vanguard representing themselves as me would be detected immediately. I added this feature when I discovered that my identity had been compromised about a year ago. I called and asked for an account security representative and he led me through the recording of my voice pattern.

I am going to add the Key hardware and not worry about the rest. I DO NOT under any circumstances use my mobile device for transactions with Vanguard. I use my home network driven desktop only, which has a strong firewall and internet security suite. I am an old geezer and I do not take lightly the risks associated with someone drawing down my retirement funds. Vanguard requires that you use your very best efforts to safeguard your use of their site, comply with their recommendations for safe practices, check your accounts frequently, report any variances immediately and work with them closely in an effort to recover any lost funds.

Like most people, I use my mobile device for many things, but financial transactions is not one of them.

User avatar
siamond
Posts: 3426
Joined: Mon May 28, 2012 5:50 am

Re: Vanguard's new security key option

Post by siamond » Sat Jul 01, 2017 2:37 pm

pragmatist wrote:Hey everyone,

I just noticed a new "security key" option in the account maintenance page. It appears that Vanguard now supports hardware multi-factor authentication using Yubikey, though you have to purchase them elsewhere.

Pragmatist
Missed this thread. I wasn't aware that we could do that. Thank you, I just ordered a Yubikey, this will certainly help with my peace of mind.

Post Reply