Vanguard Security Keys

Discuss all general (i.e. non-personal) investing questions and issues, investing news, and theory.
User avatar
TomatoTomahto
Posts: 7539
Joined: Mon Apr 11, 2011 1:48 pm

Re: Vanguard Security Keys

Post by TomatoTomahto » Wed Dec 13, 2017 4:35 pm

EpsilonDelta wrote:. . . They could for example take note of how people log in, flag changes, and give those transactions particular scrutiny looking for things like pump and dump.
To pump and dump, I think someone would have to convert my MF-only account to a brokerage account. That might be an unanticipated security feature :D

jalbert
Posts: 3585
Joined: Fri Apr 10, 2015 12:29 am

Re: Vanguard Security Keys

Post by jalbert » Wed Dec 13, 2017 6:18 pm

Epsilon Delta wrote:
Wed Dec 13, 2017 3:03 pm
jalbert wrote:
Wed Dec 13, 2017 2:13 am

There is no need for SSL certificates. The simplest thing is for the initial sync of the yubikey to establish a reliable public-private key pair with public key for the yubikey user to be stored at Vanguard site. This can be used to do challenge-based authentication and to communicate a session key reliably.

But the question is: what does the Vanguard implementation do?
The Yubikey is your private key. Vanguard has your public key so they can verify it is talking to you. Now you need a way for you to verify that the other end is Vanguard, but your public key is public so anybody could have it. To identify Vanguard you need Vanguards public key. That's where the certificate comes in, a certificate contains a public key. Ideally you use a pinned certificate, one that has beed verified from a signature sent through another channel, such as Vanguard's letter head or engraved in stone in their lobby :wink: .

What Vanguard (or any counterparty) does is always in question. They could alway publish the complete list of passwords and then where would we be (some security failures have been darn close to that bad).
Yes, SSL would be used for the session which is true for anyone authenticating at a site, but it is not needed for the 2nd factor authentication or session key handshake with the yubikey.

Yes, you need to know you have Vanguard’s public key to be sure you are talking to Vanguard, but Vanguard signing a certificate containing Vanguard’s public key to certify the authenticity of the certificate is circular. The certificate is sending you Vanguard’s public key. It will be signed by a certificate authority (which could be Vanguard if Vanguard runs its own certificate authority). Signing of that certicate by Vanguard means you can verify it if you already possess Vanguard’s public key, which is what the certificate is trying to provide to you.

The yubiikey could address this by securely obtaining Vanguard’s public key securely a priori, which would require a resync any time the vendor’s public key changed, or by generating a separate public/private key pair for each vendor you sync with. Each “public” key is then private with the vendor.

Browsers check the authenticity of certificates by looking at the source of their distribution. You sometimes get a message that the authenticity is in question and it is unsafe to proceed. But you can only fully defeat man-in-the-middle attacks if you have an initial secure key exchange of some kind.
Index fund investor since 1987.

User avatar
tadamsmar
Posts: 7753
Joined: Mon May 07, 2007 12:33 pm

Re: Vanguard Security Keys

Post by tadamsmar » Fri Dec 15, 2017 7:20 am

TomatoTomahto wrote:
Wed Dec 13, 2017 4:35 pm
EpsilonDelta wrote:. . . They could for example take note of how people log in, flag changes, and give those transactions particular scrutiny looking for things like pump and dump.
To pump and dump, I think someone would have to convert my MF-only account to a brokerage account. That might be an unanticipated security feature :D
:thumbsup

I have been wondering that for years. I guess it depends on the process for turning an MF-only account into an brokerage account, how easy it is for the real account owner to detect that process in a timely fashion.

User avatar
TomatoTomahto
Posts: 7539
Joined: Mon Apr 11, 2011 1:48 pm

Re: Vanguard Security Keys

Post by TomatoTomahto » Fri Dec 15, 2017 7:33 am

tadamsmar wrote:
Fri Dec 15, 2017 7:20 am
TomatoTomahto wrote:
Wed Dec 13, 2017 4:35 pm
EpsilonDelta wrote:. . . They could for example take note of how people log in, flag changes, and give those transactions particular scrutiny looking for things like pump and dump.
To pump and dump, I think someone would have to convert my MF-only account to a brokerage account. That might be an unanticipated security feature :D
:thumbsup

I have been wondering that for years. I guess it depends on the process for turning an MF-only account into an brokerage account, how easy it is for the real account owner to detect that process in a timely fashion.
Assuming that I would still be getting emails or texts about changes to my account (i.e., that those weren’t intercepted), I think I’d notice the MM that (iirc) is required with the brokerage account. I don’t have one now. I might be the one OCD guy who opens every Vanguard email, not necessarily to read every word, but just to make sure that I know what triggered it.

TIAX
Posts: 1134
Joined: Sat Jan 11, 2014 12:19 pm

Re: Vanguard Security Keys

Post by TIAX » Fri Mar 02, 2018 11:52 pm

Google Chrome Feature Pokes Security Hole in YubiKey Product
Owners of the YubiKey Neo beware. A Chrome feature Google introduced last year has the unintended consequence of being able to bypass one of the security key's protections.

Post Reply