Vanguard Security Keys

Discuss all general (i.e. non-personal) investing questions and issues, investing news, and theory.
Topic Author
mptfan
Posts: 7201
Joined: Mon Mar 05, 2007 8:58 am

Vanguard Security Keys

Post by mptfan »

Vanguard has the option of enabling security keys for accessing your account online. This is what their website says about the security key option...

How do security keys work?

When you register a security key to access your Vanguard accounts, we'll require you to enter your user name and password and then insert a security key into the USB port of your computer. Once Vanguard recognizes the key, you'll have access to your accounts.

When you register for this service, your key will become your primary method of identifying yourself (along with your user name and password) when you log on to vanguard.com from a computer. It will replace security codes, a service that sends you a one-time code to enter when you log on. You'll need to register for both security codes and security keys, however. That's because keys and codes go hand in hand—if you lose your key or don't have it, we'll need to send you a code in order for you to log on. In addition, you'll always need a code to access your accounts from a mobile device.

https://personal.vanguard.com/us/U2FKey ... t#/welcome

Here is my question, they say if you lose your key or don't have it, they will send you a code in order for you to log on, so if I am already set up for the security code option, does having a security key really make my account more secure? I mean if every time my security key is not available they send me a security code, how is that more secure than not having a security key and just having the security code option enabled? Doesn't this phrase "if you lose your key or don't have it, we'll need to send you a code in order for you to log on" make this sentence incorrect... "When you register a security key to access your Vanguard accounts, we'll require you to enter your user name and password and then insert a security key in the USB port of your computer."? It's not really required is it?
Last edited by mptfan on Sun Dec 10, 2017 1:04 pm, edited 1 time in total.
User avatar
Rob5TCP
Posts: 3811
Joined: Tue Jun 05, 2007 7:34 pm
Location: New York, NY

Re: Vanguard Security Keys

Post by Rob5TCP »

I have the Yubico key and think the same way. I am hoping that at some point there will not be an easy way to replace it (I bought two keys just in case). For right now the key is just a bit easier than a cellphone verification. I am hoping long term that will change.

I do use the Yubico at other sites as well.
2015
Posts: 2906
Joined: Mon Feb 10, 2014 1:32 pm

Re: Vanguard Security Keys

Post by 2015 »

No, the key is not "required". When I first got my Yubikey and was still learning not to use it while the laptop is on anything but a flat surface :oops: I actually had to have VG send a text during a log on. OTOH, shortly thereafter I learned to use it only when the device is flat and now only use the Yubikey to log on.

I also have great peace of mind knowing my dedicated email account for financials is accessible only via Yubikey, Google Authenticator, and printed passcodes. No phone number is associated with the account in order to thwart social engineering.
Topic Author
mptfan
Posts: 7201
Joined: Mon Mar 05, 2007 8:58 am

Re: Vanguard Security Keys

Post by mptfan »

So is my conclusion correct... a security key does not provide additional security over using security codes?
User avatar
happenstance
Posts: 305
Joined: Sun Jul 26, 2015 11:24 am
Location: NYC

Re: Vanguard Security Keys

Post by happenstance »

mptfan wrote: Sun Dec 10, 2017 1:03 pm So is my conclusion correct... a security key does not provide additional security over using security codes?
They both provide strong account security. The security key is a technically better though because it cannot be phished. With security codes, a bad actor could trick you into entering the six digits into a convincingly fake website. With a security key, the token generated by the key is cryptographically tied to the website that is requesting it, which makes it invulnerable to phishing and spoofing. Both options are good, though I also think the key is easier and more convenient to use. I do use the codes sometimes if my keychain is in a different room.
TravelGeek
Posts: 4902
Joined: Sat Oct 25, 2014 3:23 pm

Re: Vanguard Security Keys

Post by TravelGeek »

There was a lot of discussion of this topic in this thread recently:

viewtopic.php?f=10&t=205031&start=100
2015
Posts: 2906
Joined: Mon Feb 10, 2014 1:32 pm

Re: Vanguard Security Keys

Post by 2015 »

happenstance wrote: Sun Dec 10, 2017 3:44 pm
mptfan wrote: Sun Dec 10, 2017 1:03 pm So is my conclusion correct... a security key does not provide additional security over using security codes?
They both provide strong account security. The security key is a technically better though because it cannot be phished. With security codes, a bad actor could trick you into entering the six digits into a convincingly fake website. With a security key, the token generated by the key is cryptographically tied to the website that is requesting it, which makes it invulnerable to phishing and spoofing...
This. The conclusion from a Google study:
Security Keys protect users against password reuse, phishing, and man-in-the-middle attacks by binding cryptographic assertions
to website origin and properties of the TLS connection.
I never log in to my VG account now without using the Yubikey.
Topic Author
mptfan
Posts: 7201
Joined: Mon Mar 05, 2007 8:58 am

Re: Vanguard Security Keys

Post by mptfan »

happenstance wrote: Sun Dec 10, 2017 3:44 pm They both provide strong account security. The security key is a technically better though because it cannot be phished. With security codes, a bad actor could trick you into entering the six digits into a convincingly fake website. With a security key, the token generated by the key is cryptographically tied to the website that is requesting it, which makes it invulnerable to phishing and spoofing.
I get it, from a technical standpoint, a security key is more secure than receiving security codes. But that misses my point, because the security key is not required by Vanguard for the reasons I explained above because if the security key is not available, Vanguard defaults to sending security codes. So, if you think it through, having a security key is no more secure than having security codes set up since it is optional.
Last edited by mptfan on Mon Dec 11, 2017 9:48 am, edited 1 time in total.
User avatar
happenstance
Posts: 305
Joined: Sun Jul 26, 2015 11:24 am
Location: NYC

Re: Vanguard Security Keys

Post by happenstance »

mptfan wrote: Mon Dec 11, 2017 8:34 am
happenstance wrote: Sun Dec 10, 2017 3:44 pm They both provide strong account security. The security key is a technically better though because it cannot be phished. With security codes, a bad actor could trick you into entering the six digits into a convincingly fake website. With a security key, the token generated by the key is cryptographically tied to the website that is requesting it, which makes it invulnerable to phishing and spoofing.
I get it, from a technical standpoint, a security key is more secure than receiving security codes. But that misses my point, because the security key is not required by Vanguard for the reasons I explained above becase if the security key is not available, Vanguard defaults to sending security codes. So, if you think it through, having a security key is no more secure than having security codes set up since it is optional.
The fact that Vanguard doesn't exclusively require the security key doesn't materially change the threat model, because you are making the choice between using security codes and security key. An attacker cannot influence that decision, except by trying to phish the security codes. If you made a personal rule to only log in with security keys (and only using the codes as an emergency backup), then security keys are still in practice more secure.
Topic Author
mptfan
Posts: 7201
Joined: Mon Mar 05, 2007 8:58 am

Re: Vanguard Security Keys

Post by mptfan »

happenstance wrote: Mon Dec 11, 2017 9:05 am
mptfan wrote: Mon Dec 11, 2017 8:34 am
happenstance wrote: Sun Dec 10, 2017 3:44 pm They both provide strong account security. The security key is a technically better though because it cannot be phished. With security codes, a bad actor could trick you into entering the six digits into a convincingly fake website. With a security key, the token generated by the key is cryptographically tied to the website that is requesting it, which makes it invulnerable to phishing and spoofing.
I get it, from a technical standpoint, a security key is more secure than receiving security codes. But that misses my point, because the security key is not required by Vanguard for the reasons I explained above becase if the security key is not available, Vanguard defaults to sending security codes. So, if you think it through, having a security key is no more secure than having security codes set up since it is optional.
The fact that Vanguard doesn't exclusively require the security key doesn't materially change the threat model, because you are making the choice between using security codes and security key. An attacker cannot influence that decision, except by trying to phish the security codes. If you made a personal rule to only log in with security keys (and only using the codes as an emergency backup), then security keys are still in practice more secure.
That doesn't make sense to me. Vanguard does not require the security key, exclusively or otherwise, to access my account, it is purely optional. So if an attacker was able to phish or otherwise hack the security codes, the hacker could potentially then access my account without having the security key, and the fact that I choose to set up the security key option would be irrelevant and provide no greater protection as compared to if I had not set up the security key option.

Consider this analogy, if I managed an apartment building and I set up both a security code and a physical key to access the front door and get into the building, but in practice I allowed people to get in by entering the security code by itself without using the physical key. In that situation, although it's technically true that I offer two "security options," it is not true that having both a security code option and a key option makes the building more secure than just having the security code without a key because the key is optional... anyone can access the building by using the security code withouth the key.
User avatar
happenstance
Posts: 305
Joined: Sun Jul 26, 2015 11:24 am
Location: NYC

Re: Vanguard Security Keys

Post by happenstance »

mptfan wrote: Mon Dec 11, 2017 9:38 am
happenstance wrote: Mon Dec 11, 2017 9:05 am
mptfan wrote: Mon Dec 11, 2017 8:34 am
happenstance wrote: Sun Dec 10, 2017 3:44 pm They both provide strong account security. The security key is a technically better though because it cannot be phished. With security codes, a bad actor could trick you into entering the six digits into a convincingly fake website. With a security key, the token generated by the key is cryptographically tied to the website that is requesting it, which makes it invulnerable to phishing and spoofing.
I get it, from a technical standpoint, a security key is more secure than receiving security codes. But that misses my point, because the security key is not required by Vanguard for the reasons I explained above becase if the security key is not available, Vanguard defaults to sending security codes. So, if you think it through, having a security key is no more secure than having security codes set up since it is optional.
The fact that Vanguard doesn't exclusively require the security key doesn't materially change the threat model, because you are making the choice between using security codes and security key. An attacker cannot influence that decision, except by trying to phish the security codes. If you made a personal rule to only log in with security keys (and only using the codes as an emergency backup), then security keys are still in practice more secure.
That doesn't make sense to me. Vanguard does not require the security key, exclusively or otherwise, to access my account, it is purely optional. So if an attacker was able to phish or otherwise hack the security codes, the hacker could potentially then access my account without having the security key, and the fact that I choose to set up the security key option would be irrelevant and provide no greater protection as compared to if I had not set up the security key option.
Just enabling security keys isn't enough, you need to change your behavior as well. If your personal rule is that you always log in with your security key, then if an attacker tries to phish security codes, that is a signal to you that something is not right, because you always expect to use the key. But if you choose to enable the security key and then use it optionally, using security codes interchangeably with it, then the key is not adding additional security. That is where the additional defense is: the tool (security key) is invulnerable to phishing, but you need to modify your behavior for it to be effective.

And if you need to use a security code as an emergency backup when you've lost your security key, that is also a signal to you that you should be extra vigilant about where you're entering your credentials (i.e. make sure you really are on vanguard.com), because you know that you are more susceptible to phishing without your key.
MrJones
Posts: 773
Joined: Sat Mar 18, 2017 2:23 am

Re: Vanguard Security Keys

Post by MrJones »

happenstance wrote: Mon Dec 11, 2017 10:33 am Just enabling security keys isn't enough, you need to change your behavior as well. If your personal rule is that you always log in with your security key, then if an attacker tries to phish security codes, that is a signal to you that something is not right, because you always expect to use the key. But if you choose to enable the security key and then use it optionally, using security codes interchangeably with it, then the key is not adding additional security. That is where the additional defense is: the tool (security key) is invulnerable to phishing, but you need to modify your behavior for it to be effective.
I think this is still missing the. OPs point. It's not the OPs behavior that's under question, but the attacker's. The attacker can easily use code sent to a phone instead of the Yubi, because Vanguard allows this. OP is asking what's the point of changing OPs behavior when it doesn't make it any tougher for the attacker?
Topic Author
mptfan
Posts: 7201
Joined: Mon Mar 05, 2007 8:58 am

Re: Vanguard Security Keys

Post by mptfan »

MrJones wrote: Mon Dec 11, 2017 10:51 am I think this is still missing the. OPs point. It's not the OPs behavior that's under question, but the attacker's. The attacker can easily use code sent to a phone instead of the Yubi, because Vanguard allows this. OP is asking what's the point of changing OPs behavior when it doesn't make it any tougher for the attacker?
Exactly.

People who use the Yubikey may feel like they are more secure from hacking than someone who does not use the Yubikey and uses security codes, but in reality they are not.
Topic Author
mptfan
Posts: 7201
Joined: Mon Mar 05, 2007 8:58 am

Re: Vanguard Security Keys

Post by mptfan »

happenstance wrote: Mon Dec 11, 2017 10:33 am And if you need to use a security code as an emergency backup when you've lost your security key, that is also a signal to you that you should be extra vigilant about where you're entering your credentials (i.e. make sure you really are on vanguard.com), because you know that you are more susceptible to phishing without your key.
That doesn't make sense to me either. I am always vigilant about where I enter my credentials, and I don't see how using a security key would have any impact on that at all. Also, you used the phrase "emergency backup" and Vanguard does not say that, they say you can use security codes "if you lose your key or don't have it," no emergency required.
Last edited by mptfan on Mon Dec 11, 2017 11:18 am, edited 1 time in total.
User avatar
happenstance
Posts: 305
Joined: Sun Jul 26, 2015 11:24 am
Location: NYC

Re: Vanguard Security Keys

Post by happenstance »

MrJones wrote: Mon Dec 11, 2017 10:51 am
happenstance wrote: Mon Dec 11, 2017 10:33 am Just enabling security keys isn't enough, you need to change your behavior as well. If your personal rule is that you always log in with your security key, then if an attacker tries to phish security codes, that is a signal to you that something is not right, because you always expect to use the key. But if you choose to enable the security key and then use it optionally, using security codes interchangeably with it, then the key is not adding additional security. That is where the additional defense is: the tool (security key) is invulnerable to phishing, but you need to modify your behavior for it to be effective.
I think this is still missing the. OPs point. It's not the OPs behavior that's under question, but the attacker's. The attacker can easily use code sent to a phone instead of the Yubi, because Vanguard allows this. OP is asking what's the point of changing OPs behavior when it doesn't make it any tougher for the attacker?
What is your attack scenario? Security threats do not exist in a vacuum, nor do attackers pop out of thin air. When you say the attacker "can easily use code sent to a phone," how are they getting those codes? It's most likely going to be through phishing. But if your behavior is to always expect and use your security key, you are defending agains that phishing threat.

There is a less-likely threat that you lose control over your phone number, but that only gets the attacker the second-factor. They would still need to compromise your credentials, which would mean that it's a targeted attack and extremely unlikely to happen to most people.

The real threat is phishing, and security keys when used properly are stronger than security codes.
Topic Author
mptfan
Posts: 7201
Joined: Mon Mar 05, 2007 8:58 am

Re: Vanguard Security Keys

Post by mptfan »

happenstance wrote: Mon Dec 11, 2017 11:17 am What is your attack scenario? Security threats do not exist in a vacuum, nor do attackers pop out of thin air. When you say the attacker "can easily use code sent to a phone," how are they getting those codes? It's most likely going to be through phishing. But if your behavior is to always expect and use your security key, you are defending agains that phishing threat.
Can you explain how this is true? Maybe I am missing something, but I don't understand how using a security key reduces the threat of phishing.
TravelGeek
Posts: 4902
Joined: Sat Oct 25, 2014 3:23 pm

Re: Vanguard Security Keys

Post by TravelGeek »

There are different attack vectors. The Yubikey addresses some, but not all.

If enabling Yubikey would turn of SMS codes, how would people use the mobile apps?
2015
Posts: 2906
Joined: Mon Feb 10, 2014 1:32 pm

Re: Vanguard Security Keys

Post by 2015 »

mptfan wrote: Mon Dec 11, 2017 11:20 am
happenstance wrote: Mon Dec 11, 2017 11:17 am What is your attack scenario? Security threats do not exist in a vacuum, nor do attackers pop out of thin air. When you say the attacker "can easily use code sent to a phone," how are they getting those codes? It's most likely going to be through phishing. But if your behavior is to always expect and use your security key, you are defending agains that phishing threat.
Can you explain how this is true? Maybe I am missing something, but I don't understand how using a security key reduces the threat of phishing.
Because phishing attacks typically use some pretext to convince you to reveal your credentials directly or to visit a fake login page that prompts you to do the same.

See this:

https://www.yubico.com/2017/06/eliminat ... -phishing/
SMS is another commonly used 2FA option, but it is susceptible to both man-in-the-middle and phishing attacks (which we saw in the recent SS7 protocol SMS hack). This is validated by the National Institute of Standards and Technology (NIST), which no longer recommends SMS for 2FA, as highlighted in section 5.1.3.2 in the latest draft of its Digital Authentication Guidelines.

Other websites use push notification-based applications as a second step in the login process. However, much like SMS, push apps do not typically prevent phishing or man-in-the-middle attacks. These can even mislead the freshly phished user into believing that they accessed a legitimate site because they receive the confirmation push message at the same instant that the attacker attempts to log in using their credentials. Most websites also limit the overall effectiveness of 2FA by keeping SMS and/or One-Time Password (OTP) enabled for usability and account recovery...

So why is social login with U2F and hardware security keys better? Even if an attacker has a user’s password, the attacker won’t be able to access the account. U2F is based on public-key cryptography: when a YubiKey is registered with a U2F service like Google or Facebook, it creates a unique asymmetric key pair with each website. The private key resides on the YubiKey, and the public key on the service.

Think of it as a handshake. When the YubiKey is touched, the public and private keys instantly confirm they are the correct pair, and only that registered YubiKey will allow access. There is no need to re-register the YubiKey. U2F even protects privacy because it was designed to be anonymous, which means no personal data or secrets are shared among service providers, making it impossible to track a user across multiple web sites.That’s it – using the same YubiKey, users get simple and highly secure access to an unlimited number of websites.
2015
Posts: 2906
Joined: Mon Feb 10, 2014 1:32 pm

Re: Vanguard Security Keys

Post by 2015 »

mptfan wrote: Mon Dec 11, 2017 11:05 am
MrJones wrote: Mon Dec 11, 2017 10:51 am I think this is still missing the. OPs point. It's not the OPs behavior that's under question, but the attacker's. The attacker can easily use code sent to a phone instead of the Yubi, because Vanguard allows this. OP is asking what's the point of changing OPs behavior when it doesn't make it any tougher for the attacker?
Exactly.

People who use the Yubikey may feel like they are more secure from hacking than someone who does not use the Yubikey and uses security codes, but in reality they are not.
With the greatest of respect, your generalization lacks grounding in reality. It's a dangerous generalization because it may lead others away from the increased security to be gained by using a security key. See my above posts related to the advantages of security key use.
User avatar
happenstance
Posts: 305
Joined: Sun Jul 26, 2015 11:24 am
Location: NYC

Re: Vanguard Security Keys

Post by happenstance »

mptfan wrote: Mon Dec 11, 2017 11:14 am
happenstance wrote: Mon Dec 11, 2017 10:33 am And if you need to use a security code as an emergency backup when you've lost your security key, that is also a signal to you that you should be extra vigilant about where you're entering your credentials (i.e. make sure you really are on vanguard.com), because you know that you are more susceptible to phishing without your key.
That doesn't make sense to me either. I am always vigilant about where I enter my credentials, and I don't see how using a security key would have any impact on that at all. Also, you used the phrase "emergency backup" and Vanguard does not say that, they say you can use security codes "if you lose your key or don't have it," no emergency required.
Good, you should always be vigilant. But the point is to reduce risk of compromise, and using cryptographic integrity rather than human verification is an advantage of using the security key. Your signature says you eat risk for breakfast though, so do what you feel is more secure.

Vanguard's advice is weak. The security key can and should be, for all intents and purposes, your sole second factor. The security codes should just be used for emergency backup. Again, the security is a function of your behavior.
mptfan wrote: Mon Dec 11, 2017 11:20 am
happenstance wrote: Mon Dec 11, 2017 11:17 am What is your attack scenario? Security threats do not exist in a vacuum, nor do attackers pop out of thin air. When you say the attacker "can easily use code sent to a phone," how are they getting those codes? It's most likely going to be through phishing. But if your behavior is to always expect and use your security key, you are defending agains that phishing threat.
Can you explain how this is true? Maybe I am missing something, but I don't understand how using a security key reduces the threat of phishing.
The token that is generated on the security key is cryptographically tied to the website that requested the token. That means a token generated on a phishing site could not be used on the real website because the domain/origin that requested it doesn't match the one validating it. 2015 already posted a link with a more thorough explanation from Yubico.
Topic Author
mptfan
Posts: 7201
Joined: Mon Mar 05, 2007 8:58 am

Re: Vanguard Security Keys

Post by mptfan »

2015 wrote: Mon Dec 11, 2017 12:06 pm
mptfan wrote: Mon Dec 11, 2017 11:05 am
MrJones wrote: Mon Dec 11, 2017 10:51 am I think this is still missing the. OPs point. It's not the OPs behavior that's under question, but the attacker's. The attacker can easily use code sent to a phone instead of the Yubi, because Vanguard allows this. OP is asking what's the point of changing OPs behavior when it doesn't make it any tougher for the attacker?
Exactly.

People who use the Yubikey may feel like they are more secure from hacking than someone who does not use the Yubikey and uses security codes, but in reality they are not.
With the greatest of respect, your generalization lacks grounding in reality. It's a dangerous generalization because it may lead others away from the increased security to be gained by using a security key. See my above posts related to the advantages of security key use.
With the greatest of respect, we are talking past each other and you don't understand what I am saying. I agree that using a Yubikey is more secure than using security codes, from a technical standpoint, because it eliminates the risk of phishing of security codes. You do not have to try and convince me of that. Really, you don't. I get it.

Here is what I am saying... Vanguard does not require the security key to access your account. So it doesn't matter if you set it up, and it doesn't matter if you use it every time you long on, because it is optional, and that means someone else can pretend to be you and pretend that they lost the key or do not have the key, and then Vanguard (per their own website decription) will send a security key that can be intercepted or phished by the person pretending to be you and they will be able to log on to your account without the security key. That is what I am saying. So, as long as the security key is optional, and not required, your account is not more secure than someone who uses security codes without the security key. Do you follow that?
Last edited by mptfan on Mon Dec 11, 2017 2:05 pm, edited 1 time in total.
Topic Author
mptfan
Posts: 7201
Joined: Mon Mar 05, 2007 8:58 am

Re: Vanguard Security Keys

Post by mptfan »

happenstance wrote: Mon Dec 11, 2017 12:47 pm The token that is generated on the security key is cryptographically tied to the website that requested the token. That means a token generated on a phishing site could not be used on the real website because the domain/origin that requested it doesn't match the one validating it. 2015 already posted a link with a more thorough explanation from Yubico.
You do not have to convince me that a security key is more secure from a technical standpoint, because I agree. The problem is, Vanguard does not require it, it is purely optional. And when you put the word "optional" in front of the phrase "more secure", the effectiveness of that higher security is greatly reduced or eliminated.
User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Vanguard Security Keys

Post by Epsilon Delta »

The sooner more people adopt security keys the more likely it is that Vanguard will change their rules and deprecate using security codes. If security codes are purely a backup recovery mechanism Vanguard could do something like insert mandatory delays, as they do when you reset your forgotten password over the phone.
Another possibility is the theoretical vulnerabilities in security codes become an actual problem (e.g. they notice a significant number of attacks or someone releases an exploit) and Vanguard unilaterally shuts down use of the codes. In which case people using keys won't notice but people relying on the codes may be inconvenienced.
2015
Posts: 2906
Joined: Mon Feb 10, 2014 1:32 pm

Re: Vanguard Security Keys

Post by 2015 »

mptfan wrote: Mon Dec 11, 2017 1:57 pm
2015 wrote: Mon Dec 11, 2017 12:06 pm
mptfan wrote: Mon Dec 11, 2017 11:05 am
MrJones wrote: Mon Dec 11, 2017 10:51 am
Here is what I am saying... Vanguard does not require the security key to access your account. So it doesn't matter if you set it up, and it doesn't matter if you use it every time you long on, because it is optional, and that means someone else can pretend to be you and pretend that they lost the key or do not have the key, and then Vanguard (per their own website decription) will send a security key that can be intercepted or phished by the person pretending to be you and they will be able to log on to your account without the security key. That is what I am saying. So, as long as the security key is optional, and not required, your account is not more secure than someone who uses security codes without the security key. Do you follow that?
If you are stating that VG's present setup is less than ideal, you are far from alone in that assertion. IDR the exact recent thread (and I'm too lazy to look it up) but there was a discussion on the forum complaining of this very issue with VG's 2FA setup and the SMS backup option. OTOH, I agree with happenstance when he states the following above:
What is your attack scenario? Security threats do not exist in a vacuum, nor do attackers pop out of thin air. When you say the attacker "can easily use code sent to a phone," how are they getting those codes? IIt's most likely going to be through phishing. But if your behavior is to always expect and use your security key, you are defending agains that phishing threat.
I believe the disconnect lies in the concern over a hacker bypassing the security key via VG's SMS backup option versus a direct phishing attack on you the individual (e.g., being redirected to a fake site while you yourself use SMS 2FA) which happenstance is referencing and which you using a Yubikey as 2FA would prevent The Google study substantiated that the latter is much more likely to occur.
Last edited by 2015 on Mon Dec 11, 2017 3:46 pm, edited 1 time in total.
Topic Author
mptfan
Posts: 7201
Joined: Mon Mar 05, 2007 8:58 am

Re: Vanguard Security Keys

Post by mptfan »

2015 wrote: Mon Dec 11, 2017 3:42 pm If you are stating that VG's present setup is less than ideal, you are far from alone in that assertion.
So do you agree with my assertion that based on Vanguard's present setup, the security key option is not more secure than using security codes?
2015
Posts: 2906
Joined: Mon Feb 10, 2014 1:32 pm

Re: Vanguard Security Keys

Post by 2015 »

mptfan wrote: Mon Dec 11, 2017 3:46 pm
2015 wrote: Mon Dec 11, 2017 3:42 pm If you are stating that VG's present setup is less than ideal, you are far from alone in that assertion.
So do you agree with my assertion that based on Vanguard's present setup, the security key option is not more secure than using security codes?
No. See the last paragrapraph of my most recent post just above yours. I do agree that you, me and a lot of people would like to see VG discontinue use of SMS as backup 2FA.
2015
Posts: 2906
Joined: Mon Feb 10, 2014 1:32 pm

Re: Vanguard Security Keys

Post by 2015 »

2015 wrote: Mon Dec 11, 2017 3:50 pm
mptfan wrote: Mon Dec 11, 2017 3:46 pm
2015 wrote: Mon Dec 11, 2017 3:42 pm If you are stating that VG's present setup is less than ideal, you are far from alone in that assertion.
So do you agree with my assertion that based on Vanguard's present setup, the security key option is not more secure than using security codes?
No. See the last paragrapraph of my most recent post just above yours. I do agree that you, me and a lot of people would like to see VG discontinue use of SMS as backup 2FA. Personally, I would like it if they gave the individual a choice, like Google does. For example, one could decline SMS 2FA backup and choose an option such as Google Authenticator or perhaps one-time printed codes.
Topic Author
mptfan
Posts: 7201
Joined: Mon Mar 05, 2007 8:58 am

Re: Vanguard Security Keys

Post by mptfan »

2015 wrote: Mon Dec 11, 2017 3:50 pm
mptfan wrote: Mon Dec 11, 2017 3:46 pm
2015 wrote: Mon Dec 11, 2017 3:42 pm If you are stating that VG's present setup is less than ideal, you are far from alone in that assertion.
So do you agree with my assertion that based on Vanguard's present setup, the security key option is not more secure than using security codes?
No. See the last paragrapraph of my most recent post just above yours. I do agree that you, me and a lot of people would like to see VG discontinue use of SMS as backup 2FA.
Ok, so I am trying to understand. You are saying that by using a security key like Yubikey, it eliminates the risk of being redirected to a fake Vanguard site that may look real because the security key would prevent that attempted phishing from being successful because it would not allow me to log on to the fake (but real looking) Vanguard site? If I used the security key to log on every time, and Vanguard sent me a security code, that would alert me that it was not the real Vanguard site because otherwise the security key would have allowed me to log on without a security code? Whereas if I did not use a security key, it is possible I could be fooled into logging on to a fake site and being tricked into entering my security code?
Northern Flicker
Posts: 15289
Joined: Fri Apr 10, 2015 12:29 am

Re: Vanguard Security Keys

Post by Northern Flicker »

mptfan wrote: Sun Dec 10, 2017 1:03 pm So is my conclusion correct... a security key does not provide additional security over using security codes?
It actually makes the authentication a little less secure by creating a new point of attack (yubikey protocol) without closing an existing point of attack (text code), but you are correct.

Either way it is more secure than not having 2-factor authentication given the weakness of the underlying authentication protocol.

If Vanguard uses a protocol involving the yubikey to generate a session key for the session, it could be done in a manner that prevents man-in-the-middle attacks, an improvement over text codes followed by using SSL encryption to transmit a random session key to the client as a trojan horse web site can have its own SSL certificate authority and potential trick the web browser. I don't know which method Vanguard uses.
Tarkus
Posts: 188
Joined: Sun Aug 25, 2013 9:43 pm

Re: Vanguard Security Keys

Post by Tarkus »

As I understand it, here is the threat that exists from Vanguard's current system of sending backup codes via SMS:

Imagine I am a malicious person and I have somehow obtained the password to your Vanguard account. Maybe you use the same password at a different site (yahoo) and it was compromised. It's immaterial how I obtained the password, but I did. Being the malicious individual I am, I want to steal your money. Once I have your password, I would then try and obtain your cellphone number. Often this is quite easy, and in the public domain. Once I have figured out the cellphone number, it is very simple to snoop on your SMS messages by exploiting vulnerabilities in the SMS system itself. You don't even need any technical skills to do this -- there are services you can buy that will do this for you!

I can now log into Vanguard using your stolen password. I will force a fallback to getting security codes by SMS, which I can now intercept. Your 2FA is defeated.

What you do next is a new problem -- Good luck adding a Chinese or Russian bank account to your Vanguard account without raising suspicion.
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: Vanguard Security Keys

Post by tadamsmar »

Tarkus wrote: Mon Dec 11, 2017 4:45 pm As I understand it, here is the threat that exists from Vanguard's current system of sending backup codes via SMS:

Imagine I am a malicious person and I have somehow obtained the password to your Vanguard account. Maybe you use the same password at a different site (yahoo) and it was compromised. It's immaterial how I obtained the password, but I did. Being the malicious individual I am, I want to steal your money. Once I have your password, I would then try and obtain your cellphone number. Often this is quite easy, and in the public domain. Once I have figured out the cellphone number, it is very simple to snoop on your SMS messages by exploiting vulnerabilities in the SMS system itself. You don't even need any technical skills to do this -- there are services you can buy that will do this for you!

I can now log into Vanguard using your stolen password. I will force a fallback to getting security codes by SMS, which I can now intercept. Your 2FA is defeated.

What you do next is a new problem -- Good luck adding a Chinese or Russian bank account to your Vanguard account without raising suspicion.
Hack, pump, and dump is an option, I guess. Looks like Vanguard and some other brokerages were hit with attacks back in 2007:

http://www.washingtonpost.com/wp-dyn/co ... 02240.html

More recently:

https://www.reuters.com/article/us-cybe ... SKBN15U09I

The pump and dump can be completed in a short period, I think.

Vanguard does have an anti-fraud guarantee:

https://personal.vanguard.com/us/help/S ... ontent.jsp

Seems to me that using Vanguard's various security measures would help beef up your claim to reimbursement even if they don't work. Just tell the judge "Vanguard pushed SMS 2FA even though NIST had trashed it!"

Better than no 2FA and qwerty as your password and honest security question answers.
Northern Flicker
Posts: 15289
Joined: Fri Apr 10, 2015 12:29 am

Re: Vanguard Security Keys

Post by Northern Flicker »

If someone gains access to your account online or over the phone, even if they try to drain the account and fail, they still easily may execute things with substantial tax consequences requiring a painful process to get things straightened out.
ulrichw
Posts: 109
Joined: Sat Feb 02, 2013 11:17 pm

Re: Vanguard Security Keys

Post by ulrichw »

Tarkus wrote: Mon Dec 11, 2017 4:45 pm As I understand it, here is the threat that exists from Vanguard's current system of sending backup codes via SMS:

Imagine I am a malicious person and I have somehow obtained the password to your Vanguard account. Maybe you use the same password at a different site (yahoo) and it was compromised. It's immaterial how I obtained the password, but I did. Being the malicious individual I am, I want to steal your money. Once I have your password, I would then try and obtain your cellphone number. Often this is quite easy, and in the public domain. Once I have figured out the cellphone number, it is very simple to snoop on your SMS messages by exploiting vulnerabilities in the SMS system itself. You don't even need any technical skills to do this -- there are services you can buy that will do this for you!

I can now log into Vanguard using your stolen password. I will force a fallback to getting security codes by SMS, which I can now intercept. Your 2FA is defeated.

What you do next is a new problem -- Good luck adding a Chinese or Russian bank account to your Vanguard account without raising suspicion.
This is not the "canonical" phishing attack (and I don't think your attack is as easy to execute as you imply). Here's the "canonical" attack:
1. Set up a site at, for example, vangaurd.com which looks like the real vanguard site. (You could also put a link to a fake site in an email, or use any of the many other phishing vectors that are available)
2. Prompt user for password
3. User enters password
4. Site takes user-entered password and enters it to the real vanguard site
5. Vanguard site prompts phishing site for security code
6. Site prompts user for security code
7. User enters security code in phishing site
8. Phishing site forwards security code to real vanguard site

Using this scheme, a phisher gains access to the user's account without having had to break into any of the user's accounts and without having to compromise any of the user's devices.

What's under the user's control is step #7. If a user has a policy of never entering a security code, the chain breaks at this step.

The physical key uses cryptography in a way that prevents a phisher from being able to create a fake site that forwards the user information this way.

So basically supporting the key does provide extra security (by preventing this attack), but only if the user also has a policy of always using the key to log in.
Topic Author
mptfan
Posts: 7201
Joined: Mon Mar 05, 2007 8:58 am

Re: Vanguard Security Keys

Post by mptfan »

ulrichw wrote: Mon Dec 11, 2017 7:43 pm So basically supporting the key does provide extra security (by preventing this attack), but only if the user also has a policy of always using the key to log in.
So if I have a policy of always using the key to log in to the real Vanguard site I will not receive any security codes as part of that process because the security key already verifies who I am and that I am logging on to the real site, so, if I am trying to log in to the site that I think is real and I do get a security code during the log in process, that is a warning to me that I am not on the real Vanguard site?
2015
Posts: 2906
Joined: Mon Feb 10, 2014 1:32 pm

Re: Vanguard Security Keys

Post by 2015 »

mptfan wrote: Tue Dec 12, 2017 9:15 am
ulrichw wrote: Mon Dec 11, 2017 7:43 pm So basically supporting the key does provide extra security (by preventing this attack), but only if the user also has a policy of always using the key to log in.
So if I have a policy of always using the key to log in to the real Vanguard site I will not receive any security codes as part of that process because the security key already verifies who I am and that I am logging on to the real site, so, if I am trying to log in to the site that I think is real and I do get a security code during the log in process, that is a warning to me that I am not on the real Vanguard site?
How do you think you are going to get a SMS text code during the log in process if you didn't request one? If you are using a security key to log in to your VG account you obviously will not receive an SMS text because you did not request one.

See this from Google:

https://security.googleblog.com/2014/10 ... -with.html
2-Step Verification offers a strong extra layer of protection for Google Accounts. Once enabled, you’re asked for a verification code from your phone in addition to your password, to prove that it’s really you signing in from an unfamiliar device. Hackers usually work from afar, so this second factor makes it much harder for a hacker who has your password to access your account, since they don’t have your phone.

Today we’re adding even stronger protection for particularly security-sensitive individuals. Security Key is a physical USB second factor that only works after verifying the login site is truly a Google website, not a fake site pretending to be Google. Rather than typing a code, just insert Security Key into your computer’s USB port and tap it when prompted in Chrome. When you sign into your Google Account using Chrome and Security Key, you can be sure that the cryptographic signature cannot be phished.
Topic Author
mptfan
Posts: 7201
Joined: Mon Mar 05, 2007 8:58 am

Re: Vanguard Security Keys

Post by mptfan »

2015 wrote: Tue Dec 12, 2017 11:28 am How do you think you are going to get a SMS text code during the log in process if you didn't request one?
Because Vanguard has a security setting option that will automatically send a security code everytime you log on.
2015
Posts: 2906
Joined: Mon Feb 10, 2014 1:32 pm

Re: Vanguard Security Keys

Post by 2015 »

I am never sent an SMS text when using the security key to log in. Only once, when I was initially learning not to use the key with the device on anything but a flat surface, I had to resort to SMS text as backup. Since then, I've always used the key and never request or receive an SMS code.
User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Vanguard Security Keys

Post by Epsilon Delta »

2015 wrote: Tue Dec 12, 2017 3:14 pm I am never sent an SMS text when using the security key to log in. Only once, when I was initially learning not to use the key with the device on anything but a flat surface, I had to resort to SMS text as backup. Since then, I've always used the key and never request or receive an SMS code.
If you try to login without the key does it ask for the key, or does it send an SMS, or allow you to request an SMS from the login screen?
FinancialDave
Posts: 1819
Joined: Thu May 26, 2011 9:36 pm

Re: Vanguard Security Keys

Post by FinancialDave »

I personally think the better method is the hard token method, which can be used with mobile or computer options and the only way to bypass the token is call up the broker and get them to turn off the token on their end after verifying your identity. Still not 100% fool proof but better and EASIER!

Dave
I love simulated data. It turns the impossible into the possible!
limeyx
Posts: 308
Joined: Wed Sep 07, 2016 5:34 pm

Re: Vanguard Security Keys

Post by limeyx »

mptfan wrote: Sun Dec 10, 2017 1:03 pm So is my conclusion correct... a security key does not provide additional security over using security codes?
Yes, this is the case and totally dumb

Usually when you register a key you get a set of backup codes to save/print at home but I dont see that I have any for Vanguard

These are 1-time (and you get a bunch) and you can then use this to register a new key etc.

Since I can bypass the key, It's all moot.

I complained to Vanguard and got a form letter back so probably no action here
Northern Flicker
Posts: 15289
Joined: Fri Apr 10, 2015 12:29 am

Re: Vanguard Security Keys

Post by Northern Flicker »

This is not the "canonical" phishing attack (and I don't think your attack is as easy to execute as you imply). Here's the "canonical" attack:
1. Set up a site at, for example, vangaurd.com which looks like the real vanguard site. (You could also put a link to a fake site in an email, or use any of the many other phishing vectors that are available)
2. Prompt user for password
3. User enters password
4. Site takes user-entered password and enters it to the real vanguard site
5. Vanguard site prompts phishing site for security code
6. Site prompts user for security code
7. User enters security code in phishing site
8. Phishing site forwards security code to real vanguard site

Using this scheme, a phisher gains access to the user's account without having had to break into any of the user's accounts and without having to compromise any of the user's devices.

What's under the user's control is step #7. If a user has a policy of never entering a security code, the chain breaks at this step.

The physical key uses cryptography in a way that prevents a phisher from being able to create a fake site that forwards the user information this way.
Whatever the yubikey sends back can be happily forwarded by the rogue site in the middle on to Vanguard just like an SMS test code would be.

Defeating the man-in-the-middle attack is more difficult and requires that the session encryption is end-to-end between the Vanguard server and the client using the yubikey so that the session encryption key is generated by a protocol seeded by the initial sync of the yubikey with vanguard when the yubikey is first configured. Is it known that Vanguard has implemented it in such a manner?

Otherwise, if SSL encryption is used to communicate session keys the rogue site in the middle can try to use its own certificate authority to trick the browser into thinking it has Vanguard's public key when it has a key from the rogue site. If the rogue site can decrypt and re-encrypt traffic in both directions, the session is compromised.
User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Vanguard Security Keys

Post by Epsilon Delta »

jalbert wrote: Tue Dec 12, 2017 7:24 pm
Whatever the yubikey sends back can be happily forwarded by the rogue site in the middle on to Vanguard just like an SMS test code would be.
If this is done properly using the yubikey is end to end. For example the yubikey should be used to sign the name of the website the browser is talking to. Vanguard should check these signatures so it will know that the browser is talking to vangaurd.com and not vanguard.com. The same thing can be done to verify the certificate the browser is using is a real Vanguard certificate. This allows a secure session key to be exchanged that the mitm can't know. Once a secure key is exchanged all the mitm can do is forward or not forward encrypted traffic. It cannot read the traffic and it cannot alter it.
2015
Posts: 2906
Joined: Mon Feb 10, 2014 1:32 pm

Re: Vanguard Security Keys

Post by 2015 »

Epsilon Delta wrote: Tue Dec 12, 2017 3:56 pm
2015 wrote: Tue Dec 12, 2017 3:14 pm I am never sent an SMS text when using the security key to log in. Only once, when I was initially learning not to use the key with the device on anything but a flat surface, I had to resort to SMS text as backup. Since then, I've always used the key and never request or receive an SMS code.
If you try to login without the key does it ask for the key, or does it send an SMS, or allow you to request an SMS from the login screen?
Yes, it asks for the key because that is the default 2FA I have set up. I had to manually request the SMS text the one time I did ask for it after having set up the key as default 2FA. It was something like "use another method" or some such. IIRC, Google does the same thing with their backup methods. I do recall you have to manually request an alternative to the key after you've set the key up as your main 2FA tool.
Northern Flicker
Posts: 15289
Joined: Fri Apr 10, 2015 12:29 am

Re: Vanguard Security Keys

Post by Northern Flicker »

Epsilon Delta wrote: Tue Dec 12, 2017 7:54 pm If this is done properly using the yubikey is end to end. For example the yubikey should be used to sign the name of the website the browser is talking to. Vanguard should check these signatures so it will know that the browser is talking to vangaurd.com and not vanguard.com. The same thing can be done to verify the certificate the browser is using is a real Vanguard certificate. This allows a secure session key to be exchanged that the mitm can't know. Once a secure key is exchanged all the mitm can do is forward or not forward encrypted traffic. It cannot read the traffic and it cannot alter it.
There is no need for SSL certificates. The simplest thing is for the initial sync of the yubikey to establish a reliable public-private key pair with public key for the yubikey user to be stored at Vanguard site. This can be used to do challenge-based authentication and to communicate a session key reliably.

But the question is: what does the Vanguard implementation do?
User avatar
TomatoTomahto
Posts: 17104
Joined: Mon Apr 11, 2011 1:48 pm

Re: Vanguard Security Keys

Post by TomatoTomahto »

Epsilon Delta wrote: Tue Dec 12, 2017 3:56 pm
2015 wrote: Tue Dec 12, 2017 3:14 pm I am never sent an SMS text when using the security key to log in. Only once, when I was initially learning not to use the key with the device on anything but a flat surface, I had to resort to SMS text as backup. Since then, I've always used the key and never request or receive an SMS code.
If you try to login without the key does it ask for the key, or does it send an SMS, or allow you to request an SMS from the login screen?
I log in from Firefox using a password, and an SMS key is automatically sent.
I log in from Chrome using my password & Yubikey, and never get an SMS key.
I guess I should start logging in ONLY from Chrome and call Vanguard if I ever get an SMS key.

The mobile app asks for a password and key if I do anything other than vanilla read-type stuff (e.g., check a balance). I guess I should not do transactions using the mobile app.

I feel better now. :D
I get the FI part but not the RE part of FIRE.
2015
Posts: 2906
Joined: Mon Feb 10, 2014 1:32 pm

Re: Vanguard Security Keys

Post by 2015 »

TomatoTomahto wrote: Wed Dec 13, 2017 6:20 am
Epsilon Delta wrote: Tue Dec 12, 2017 3:56 pm
2015 wrote: Tue Dec 12, 2017 3:14 pm I am never sent an SMS text when using the security key to log in. Only once, when I was initially learning not to use the key with the device on anything but a flat surface, I had to resort to SMS text as backup. Since then, I've always used the key and never request or receive an SMS code.
If you try to login without the key does it ask for the key, or does it send an SMS, or allow you to request an SMS from the login screen?
I log in from Firefox using a password, and an SMS key is automatically sent.
I log in from Chrome using my password & Yubikey, and never get an SMS key.
I guess I should start logging in ONLY from Chrome and call Vanguard if I ever get an SMS key.

The mobile app asks for a password and key if I do anything other than vanilla read-type stuff (e.g., check a balance). I guess I should not do transactions using the mobile app.

I feel better now. :D
Yes, I would stick with Chrome for financial accounts. I log in to all financial and other important accounts (e.g., Taxact) only from Comodo Dragon using Avast's Safe Zone within its Banking Mode. Banking Mode acts as a computer within a computer when accessed. Thus, Banking Mode for me acts as its own dedicated laptop for accessing financial transactions. The Dragon browser is Chormium (Chrome) based and I started using it about 10 years ago after reading it's less well-known and hence less a target for browser attacks than IE.

As to Avast's Banking Mode, as the entire browsing session vanishes after closing out of it, my computer is never recognized by any financial site as each time I enter Banking Mode it's an entirely new session as if accessing the site for the first time. I also wipe clean the Banking History before ending the Safe Zone/Banking Mode session so there's no record of financial accounts on my computer.

I never access financial accounts of any kind from my phone. Some people are comfortable with doing that. I'm not.
User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Vanguard Security Keys

Post by Epsilon Delta »

jalbert wrote: Wed Dec 13, 2017 1:13 am
There is no need for SSL certificates. The simplest thing is for the initial sync of the yubikey to establish a reliable public-private key pair with public key for the yubikey user to be stored at Vanguard site. This can be used to do challenge-based authentication and to communicate a session key reliably.

But the question is: what does the Vanguard implementation do?
The Yubikey is your private key. Vanguard has your public key so they can verify it is talking to you. Now you need a way for you to verify that the other end is Vanguard, but your public key is public so anybody could have it. To identify Vanguard you need Vanguards public key. That's where the certificate comes in, a certificate contains a public key. Ideally you use a pinned certificate, one that has beed verified from a signature sent through another channel, such as Vanguard's letter head or engraved in stone in their lobby :wink: .

What Vanguard (or any counterparty) does is always in question. They could alway publish the complete list of passwords and then where would we be (some security failures have been darn close to that bad).
User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Vanguard Security Keys

Post by Epsilon Delta »

TomatoTomahto wrote: Wed Dec 13, 2017 6:20 am
I log in from Firefox using a password, and an SMS key is automatically sent.
I log in from Chrome using my password & Yubikey, and never get an SMS key.
I guess I should start logging in ONLY from Chrome and call Vanguard if I ever get an SMS key.

The mobile app asks for a password and key if I do anything other than vanilla read-type stuff (e.g., check a balance). I guess I should not do transactions using the mobile app.

I feel better now. :D
You shouldn't. It's not what you have to do that provides security, it's what attackers have to do. Eve is free to use Firefox or a mobile app when doing a man in the middle attack. If she's intercepting your SMS messages she's in. This is certainly more secure than just a password, but it's less secure than requiring a Yubikey.

Yes if you get an SMS key you should tell Vanguard, that makes it a little tougher on Eve since she would have to intercept the SMS message rather than just reading it in passing.
User avatar
TomatoTomahto
Posts: 17104
Joined: Mon Apr 11, 2011 1:48 pm

Re: Vanguard Security Keys

Post by TomatoTomahto »

^ well, I think I’ve met the standard of “doing everything a reasonable person can do.” When there is an option to disable SMS, I will take the option.
I get the FI part but not the RE part of FIRE.
User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Vanguard Security Keys

Post by Epsilon Delta »

TomatoTomahto wrote: Wed Dec 13, 2017 3:01 pm ^ well, I think I’ve met the standard of “doing everything a reasonable person can do.” When there is an option to disable SMS, I will take the option.
I agree. It's not a problem you can do anything about now, it's probably not a big problem and if it becomes a big problem Vanguard will have to deal with it. It's even possible that Vanguard already deals with it. They could for example take note of how people log in, flag changes, and give those transactions particular scrutiny looking for things like pump and dump.

In my limited experience searching the logs and looking for weird stuff that was actually occurring was at least as important as trying to harden against theoretical attacks. Although dealing with theoretical attacks was more fun since it involved more math and less human frailty.
Post Reply