New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Discuss all general (i.e. non-personal) investing questions and issues, investing news, and theory.
retire57
Posts: 376
Joined: Fri Oct 28, 2016 3:03 pm

New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by retire57 » Sat Feb 24, 2018 7:17 pm

[Title was "Two- Factor Authentication at Vanguard - Update". Several threads are merged into here.
Use this thread to discuss Vanguard's implementation of two-factor authentication. --admin LadyGeek]


Am not currently using the 2FA. Should probably start. So ... does the code get sent from VG every single time you want to log-in? I download all my transactions and balances every day in Quicken and dread the inconvenience of going through the text message process everyday. Of course, I dread the inconvenience of being wiped out more.

Thanks for the advice!
Last edited by retire57 on Thu Mar 01, 2018 12:13 pm, edited 1 time in total.

User avatar
rustymutt
Posts: 3731
Joined: Sat Mar 07, 2009 12:03 pm
Location: Oklahoma

Re: Two- Factor Authentication at Vanguard

Post by rustymutt » Sat Feb 24, 2018 7:31 pm

Hey, just do it. You know you'll sleep better at nights. :sharebeer
I'm amazed at the wealth of Knowledge others gather, and share over a lifetime of learning. The mind is truly unique. It's nice when we use it!

User avatar
David Jay
Posts: 5597
Joined: Mon Mar 30, 2015 5:54 am
Location: Michigan

Re: Two- Factor Authentication at Vanguard

Post by David Jay » Sat Feb 24, 2018 7:31 pm

You can choose 2FA every time you log in or only when you log in from a new device.

I chose the “new device” only. It must leave a tracking cookie or something. First time I logged in from my home desktop (Win10) it sent a code to my phone. Then when I first logged in from my tablet (iPad). After the first instance, no 2FA.

[edit] At the time, it seemed like a middle path between irresponsibility and paranoia.
Last edited by David Jay on Sat Feb 24, 2018 7:47 pm, edited 1 time in total.
Prediction is very difficult, especially about the future - Niels Bohr | To get the "risk premium", you really do have to take the risk - nisiprius

02nz
Posts: 481
Joined: Wed Feb 21, 2018 3:17 pm

Re: Two- Factor Authentication at Vanguard

Post by 02nz » Sat Feb 24, 2018 7:32 pm

With Personal Capital entering the security code once was enough and I haven't needed a code for subsequent refreshes, but with Mint I get prompted each time, and the data for my Vanguard account is not refreshed until I enter the code. Since Mint and Quicken are both owned by Intuit, I suspect they use the same technology, so you may have to get and enter a new security code every time.

User avatar
rustymutt
Posts: 3731
Joined: Sat Mar 07, 2009 12:03 pm
Location: Oklahoma

Re: Two- Factor Authentication at Vanguard

Post by rustymutt » Sat Feb 24, 2018 7:39 pm

David Jay wrote:
Sat Feb 24, 2018 7:31 pm
You can choose 2FA every time you log in or only when you log in from a new device.

I chose the “new device” only. It must leave a tracking cookie or something. First time I logged in from my home desktop (Win10) it sent a code to my phone. Then when I first logged in from my tablet (iPad). After the first instance, no 2FA.

Good to know this. Thanks.
I'm amazed at the wealth of Knowledge others gather, and share over a lifetime of learning. The mind is truly unique. It's nice when we use it!

sketchy9
Posts: 167
Joined: Mon Oct 25, 2010 2:10 pm

Re: Two- Factor Authentication at Vanguard

Post by sketchy9 » Sat Feb 24, 2018 10:03 pm

retire57 wrote:
Sat Feb 24, 2018 7:17 pm
Am not currently using the 2FA. Should probably start. So ... does the code get sent from VG every single time you want to log-in? I download all my transactions and balances every day in Quicken and dread the inconvenience of going through the text message process everyday. Of course, I dread the inconvenience of being wiped out more.

Thanks for the advice!
Download via Quicken doesn't require 2FA, only when you log in to the website.

montanagirl
Posts: 965
Joined: Thu Nov 19, 2009 4:55 pm
Location: Montana

Re: Two- Factor Authentication at Vanguard

Post by montanagirl » Sun Feb 25, 2018 10:46 am

I went to 2 factor, then dropped my phone at a restaurant the night before that last RBD.... :(

User avatar
blaugranamd
Posts: 557
Joined: Wed Apr 11, 2012 1:57 pm
Location: D-lux apt in the sky

Re: Two- Factor Authentication at Vanguard

Post by blaugranamd » Sun Feb 25, 2018 1:21 pm

I had a lot of issues getting USAA to pull account info using the Yubikey 2FA. The SMS version works just fine though.
-- Don't mistake more funds for more diversity: Total Int'l + Total Market = 7k to 10k stocks -- | -- Market return does NOT = average nor 50th percentile, rather 80-90th percentile long term ---

retire57
Posts: 376
Joined: Fri Oct 28, 2016 3:03 pm

Re: Two- Factor Authentication at Vanguard

Post by retire57 » Sun Feb 25, 2018 4:47 pm

Thanks all! I did enroll in 2 FA - stipulating the safeguard is only for 'unknown' devices. We'll see how it works with Quicken.

wrongfunds
Posts: 1796
Joined: Tue Dec 21, 2010 3:55 pm

Re: Two- Factor Authentication at Vanguard

Post by wrongfunds » Mon Feb 26, 2018 12:44 pm

I thought Vanguard did NOT allow smartphone based 2FA Do they now have phone based 2FA application similar to Fidelity?

Raladic
Posts: 196
Joined: Fri Jan 03, 2014 4:56 pm

Re: Two- Factor Authentication at Vanguard

Post by Raladic » Mon Feb 26, 2018 3:54 pm

I use Fidelity, not Vanguard and use their 2-factor auth, which is a proper application (Symantec VIP) generating the keys.

If Vanguard only offers SMS-based, then do be warned that that is only marginally better than password alone. Many security researchers have come to that conclusion a good while ago, here's an article from 2016 - https://www.wired.com/2016/06/hey-stop- ... ntication/ or http://fortune.com/2016/07/26/nist-sms-two-factor/ and official publication from the National Institute of Standards and Technology - https://pages.nist.gov/800-63-3/sp800-63b.html

User avatar
Phineas J. Whoopee
Posts: 7470
Joined: Sun Dec 18, 2011 6:18 pm

Re: Two- Factor Authentication at Vanguard

Post by Phineas J. Whoopee » Mon Feb 26, 2018 4:56 pm

wrongfunds wrote:
Mon Feb 26, 2018 12:44 pm
I thought Vanguard did NOT allow smartphone based 2FA Do they now have phone based 2FA application similar to Fidelity?
Instead of using an app they send a text message. One could receive it on a device other than a smartphone.

PJW

retire57
Posts: 376
Joined: Fri Oct 28, 2016 3:03 pm

Re: Two- Factor Authentication at Vanguard

Post by retire57 » Thu Mar 01, 2018 12:13 pm

Just an update with some, perhaps, helpful info. Today was the first day I had transactions to download to Quicken from Vanguard since enrolling in the 2-factor authentication. The transactions would not update in Quicken.

Next I logged onto my Vanguard account on my PC and tried the update again and ... it worked.

Good to know!

ribonucleic
Posts: 74
Joined: Mon Feb 13, 2017 6:07 pm

Re: Two- Factor Authentication at Vanguard - Update

Post by ribonucleic » Thu Mar 01, 2018 12:58 pm

It's worth using. Just remember that it's not a panacea.
In most cases, the problem isn’t two-factor itself, but everything around it. If you can break through anything next to that two-factor login — whether it’s the account-recovery process, trusted devices, or the underlying carrier account — then you’re home free.

Two-factor’s trickiest weak point? Wireless carriers. If you can compromise the AT&T, Verizon, or T-Mobile account that supports a person’s phone number, you can usually hijack any call or text that’s sent to them. For mobile apps like Signal, which are tied entirely to a given phone number, it can be enough to hijack the entire account. At the same time, carriers have been among the slowest to adopt two-factor, with most preferring easily bypassed PINs or even flimsier security questions. With two networks controlling the bulk of the market, there’s been little incentive to compete on security.
https://www.theverge.com/2017/7/10/1594 ... urity-mess

User avatar
pokebowl
Posts: 203
Joined: Sat Dec 17, 2016 7:22 pm
Location: The Orion Spur of the Milky Way galaxy.

Re: Two- Factor Authentication at Vanguard - Update

Post by pokebowl » Sun Mar 04, 2018 8:00 pm

I am not personally a fan of Vanguard's 2FA offerings. Its understandably designed for availability over security (take note those studying for infosec certs), which means its designed with the assumption that its users will lose access and offers multiple workarounds. Even if you use the Yubikey option, it still allows account recovery via alternate means, which nullifies such a device. Not to mention Vanguard doesn't really offer the most robust password options.

Through Vanguard's own help guides and warning screens I can safely conclude they recognize 'authorized' devices via browser user-agent strings as well as both browser and local cookie storage (OS ident). Thus if I really wanted to step up my 2FA and protect my account assets, I personally would create a custom system image using a unique/non-common OS and browser combo and save it off as either a CD or virtual image. Then I would change Vanguard's computer access restrictions to "Restrict unrecognized computers, browsers, or mobile devices from accessing my accounts." which according to Vanguard can only be bypassed by an authorized device (the system image created) and no other means, which means if you lost access you would have to go through their customer service. Every time I wanted to access Vanguard however, I would need to either boot from that CD and or load up that VM.

It still offers one workaround (customer service), however is much more secure then their Yubikey option if only by lowering the number of available options for account recovery.

Sounds complicated, but really only takes an extra 30 seconds of work, for example I've been browsing the internet and discussion forums such as these through isolated VMs for years... One of the reasons I seldom have excessive security programs on my host machines. :beer

Image

Anyway thats how I'd approach Vanguard's access options given their current offerings.
There is nothing more expensive than something offered for free.

wrongfunds
Posts: 1796
Joined: Tue Dec 21, 2010 3:55 pm

Re: Two- Factor Authentication at Vanguard - Update

Post by wrongfunds » Mon Mar 05, 2018 2:01 pm

It still offers one workaround (customer service),
In the end, doesn't it depend upon how strict and how through the customer service is in preventing the social engineering hacks? do they ask the questions which only an Equifax hacker would have answers to? :-)

Seriously, once you reach customer service, most financial institutions seem to be quite eager to bail out the customer who claims to have lost the device or forgot the password.

User avatar
Phineas J. Whoopee
Posts: 7470
Joined: Sun Dec 18, 2011 6:18 pm

Re: Two- Factor Authentication at Vanguard - Update

Post by Phineas J. Whoopee » Mon Mar 05, 2018 4:09 pm

wrongfunds wrote:
Mon Mar 05, 2018 2:01 pm
...
Seriously, once you reach customer service, most financial institutions seem to be quite eager to bail out the customer who claims to have lost the device or forgot the password.
Hi. Customer service? I'm afraid I won't be able to steal any assets without knowing my mother's maiden name [how sexist is that?]. Can you please tell me what it is?

Sure. It's Antidisestablishmentarianism, followed by the digit four.

Then that's it then.

Where would you like us to send the stolen money?

If what I wrote was a ridiculous parody security would be better.

PJW

gmaynardkrebs
Posts: 886
Joined: Sun Feb 10, 2008 11:48 am

Re: Two- Factor Authentication at Vanguard - Update

Post by gmaynardkrebs » Mon Mar 05, 2018 5:17 pm

They warn it might screw up Yodelly.

NYCwriter
Posts: 182
Joined: Thu Sep 17, 2015 12:46 am

Re: Two- Factor Authentication at Vanguard - Update

Post by NYCwriter » Mon Mar 05, 2018 8:30 pm

I'm already using 2F for a lot of things. I haven't set it up for VG yet but expect to do so soon, even if the boost in security is marginal.

I have been a bit worried about VG security for a while, and was waiting to see what the bugs were with their 2F before activating--they aren't known for excellent web site management, from what I've seen. For those unfamiliar with 2F or without devices it may be easier to use a good pw management system and update regularly. But the 2nd step authentication is a given nowadays.

With DST coming up, one tip is to change your passwords along with the batteries in your alarms, etc. I used to do this once a year but that's not enough. 3rd party password managers are supposed to be best, but Apple has a good built-in one.

gtd98765
Posts: 96
Joined: Sun Jan 08, 2017 4:15 am

Re: Two- Factor Authentication at Vanguard - Update

Post by gtd98765 » Tue Mar 06, 2018 7:53 am

Vanguard also offers a voice verification option, whereby they record your voice on the phone to help verify it's you when you call back next time. This would probably make social engineering attacks on customer service reps less likely; it's one thing to claim to have forgotten your password, it's another to say your voice has changed. While one could always claim to have a cold, I would hope that failing the voice verification would trigger a lot more scrutiny about a caller.

oxothuk
Posts: 347
Joined: Thu Nov 10, 2011 8:35 pm

Re: Two- Factor Authentication at Vanguard - Update

Post by oxothuk » Mon Mar 26, 2018 12:40 pm

I wish they had an in-between option for when to invoke 2FA. I don't really want to go through it for every logon, but would appreciate some extra security for any time I initiate a buy/sell/transfer transaction or any time I make a change to the account.

Like others, I'd also like to see a TOTP token rather than SMS as the second factor.

bighatnohorse
Posts: 116
Joined: Thu Oct 13, 2016 4:04 pm

Re: Two- Factor Authentication at Vanguard - Update

Post by bighatnohorse » Mon Mar 26, 2018 2:19 pm

For a little slack time fun: https://howsecureismypassword.net/
Its a site (among others) that purport to test passwords.
Try this one: 4dogs2cats9birds

User avatar
tractorguy
Posts: 629
Joined: Wed May 19, 2010 6:32 pm
Location: Chicago Suburb

Re: Two- Factor Authentication at Vanguard - Update

Post by tractorguy » Mon Mar 26, 2018 2:30 pm

FWIW, I've been using 2FA authorization on my Vanguard account since it was offered and Quicken desktop has no problems with it. I can't remember what I did the first time I downloaded after I set it up, I do remember that I had to do something different. Since then, its been fine.
Lorne

caffeinefree
Posts: 28
Joined: Sat Mar 23, 2013 10:17 am

Re: Two- Factor Authentication at Vanguard - Update

Post by caffeinefree » Mon Mar 26, 2018 3:30 pm

I turned on the two-factor identification for Vanguard ...and then turned it back off a few weeks later, after getting frustrated by the fact that it required me to do the text message identification every time I logged into Mint on my phone. At some point I may turn it back on, but I wish they would make it smarter. Surely there is a way to track individual device log-ins, even if you are logging in from a phone and not a computer?

TBK16
Posts: 3
Joined: Thu May 05, 2016 7:19 pm

Re: Two- Factor Authentication at Vanguard - Update

Post by TBK16 » Mon Mar 26, 2018 7:18 pm

About a week ago, Mint stopped needing the code from Vanguard every time it refreshed the account for me.

bogglizer
Posts: 182
Joined: Tue Aug 16, 2016 8:56 pm

Re: Two- Factor Authentication at Vanguard - Update

Post by bogglizer » Mon Mar 26, 2018 8:27 pm

bighatnohorse wrote:
Mon Mar 26, 2018 2:19 pm
For a little slack time fun: https://howsecureismypassword.net/
Its a site (among others) that purport to test passwords.
Try this one: 4dogs2cats9birds
We should make a version of this that saves the attempted password with the IP address. The database will be worth a fortune.

I purchased two of those USB dinguses when FastMail has a discount coupon for them, but I still haven't tried setting it up.

Beckeresq
Posts: 7
Joined: Thu Dec 25, 2008 7:05 am

Re: Two- Factor Authentication at Vanguard - Update

Post by Beckeresq » Sun May 13, 2018 5:26 am

Both Vanguard (Outside Investments) and Fidelity offer aggregation, which is provided by Yodlee in both cases. Two-factor authentication is a new "challenge."

I strongly prefer using the Fidelity aggregation because it is more comprehensive and reliable then Vanguard's aggregation. While Fidelity is apparently working on an API (application programming interface) that will permit Vanguard to "scrape" Fidelity accounts (Fidelity Access), the "experts" at Vanguard appear to have no idea of what is happening, and have no answer to if and when Vanguard will develop the necessary "fix" so that Vanguard accounts can be aggregated by others.

Does anyone have any Information that Vanguard is addressing this problem or is even aware of it?

Poor web site services appears to be a tradition at Vanguard-See my two other posts on this site from about 10 years ago.

User avatar
Gamma Ray
Posts: 445
Joined: Sun Feb 01, 2015 8:16 pm
Location: Beautiful Louisiana

Re: Two- Factor Authentication at Vanguard - Update

Post by Gamma Ray » Mon May 14, 2018 12:06 am

Phineas J. Whoopee wrote:
Mon Feb 26, 2018 4:56 pm
wrongfunds wrote:
Mon Feb 26, 2018 12:44 pm
I thought Vanguard did NOT allow smartphone based 2FA Do they now have phone based 2FA application similar to Fidelity?
Instead of using an app they send a text message. One could receive it on a device other than a smartphone.

PJW

Is vanguard even considering 2FA compatible with an authenticator app? SMS or email 2FA is useless if your computer is compromised.

For passwords, consider using LastPass and securing your LP account with a very strong/long password and 2FA using authenticator app.

User avatar
pokebowl
Posts: 203
Joined: Sat Dec 17, 2016 7:22 pm
Location: The Orion Spur of the Milky Way galaxy.

Re: Two- Factor Authentication at Vanguard - Update

Post by pokebowl » Mon May 14, 2018 7:37 am

Gamma Ray wrote:
Mon May 14, 2018 12:06 am

Is vanguard even considering 2FA compatible with an authenticator app? SMS or email 2FA is useless if your computer is compromised.
Vanguard already supports hardware token based auth and U2A I believe. No reason to prioritize a TOTP authenticator app on top of that which would be technically less secure. The real crux is Vanguard in the same breath also offers various different ways of account recovery along with said token. Still 2FA is better than no 2FA.

As I mentioned above several months ago you can harden your 2FA token with the nuclear option of selecting under Vanguard security settings "Restrict unrecognized computers, browsers, or mobile devices from accessing my accounts." which would limit you to customer service should you lose access. At that point the only main weakness left is phishing, however 2FA can't fix that. :beer

Attackers go the path of least resistance and are only as smart as they need to be. 9 out of 10 times when faced with a secure system the last and easiest thing to hack is the human on the other side of the screen/phone.
There is nothing more expensive than something offered for free.

Gadget
Posts: 159
Joined: Fri Mar 17, 2017 1:38 pm

Re: Two- Factor Authentication at Vanguard - Update

Post by Gadget » Mon May 14, 2018 8:15 am

Someone said that mint and personal capital now work with Vanguard 2 factor authentication? And you don't have to enter a code every time you refresh them?

lazydavid
Posts: 1805
Joined: Wed Apr 06, 2016 1:37 pm

Re: Two- Factor Authentication at Vanguard

Post by lazydavid » Mon May 14, 2018 8:40 am

02nz wrote:
Sat Feb 24, 2018 7:32 pm
Since Mint and Quicken are both owned by Intuit, I suspect they use the same technology, so you may have to get and enter a new security code every time.
This has not been the case for a little over two years. Mint is owned by Intuit, while Quicken is owned by Quicken, Inc., a wholly-owned subsidiary of H.I.G. Capital. That said, you may be correct about them using the same 2FA solution.

masteraleph
Posts: 586
Joined: Wed Nov 04, 2009 9:45 am

Re: Two- Factor Authentication at Vanguard - Update

Post by masteraleph » Mon May 14, 2018 8:43 am

pokebowl wrote:
Mon May 14, 2018 7:37 am
Gamma Ray wrote:
Mon May 14, 2018 12:06 am

Is vanguard even considering 2FA compatible with an authenticator app? SMS or email 2FA is useless if your computer is compromised.
Vanguard already supports hardware token based auth and U2A I believe. No reason to prioritize a TOTP authenticator app on top of that which would be technically less secure. The real crux is Vanguard in the same breath also offers various different ways of account recovery along with said token. Still 2FA is better than no 2FA.
I mean, the reason to permit authenticator apps is that they're more secure than SMS and people are more likely to use them than tokens.

JBTX
Posts: 4031
Joined: Wed Jul 26, 2017 12:46 pm

Re: Two- Factor Authentication at Vanguard - Update

Post by JBTX » Mon May 14, 2018 7:36 pm

As to Quicken, I have both fidelity and vanguard, and I have 2 factor on both, and my quicken updates fine. It seems as if they have given them a backdoor (perhaps read only?) access that bypasses 2FA.

Dead Man Walking
Posts: 698
Joined: Wed Nov 07, 2007 6:51 pm

Re: Two- Factor Authentication at Vanguard - Update

Post by Dead Man Walking » Mon May 14, 2018 11:50 pm

I'm an old school internet user. My Internet Explorer and Chrome browsers delete all cookies when I close them. Consequently, when I log on to my Vanguard account, I am prompted to receive a one time code via email, text, or voice message since my computer was not recognized. I always choose to receive the code via a telephone call on my land line. It's a minor inconvenience I am willing deal with.

DMW

User avatar
Gamma Ray
Posts: 445
Joined: Sun Feb 01, 2015 8:16 pm
Location: Beautiful Louisiana

Re: Two- Factor Authentication at Vanguard - Update

Post by Gamma Ray » Tue May 15, 2018 1:03 am

pokebowl wrote:
Mon May 14, 2018 7:37 am
Gamma Ray wrote:
Mon May 14, 2018 12:06 am

Is vanguard even considering 2FA compatible with an authenticator app? SMS or email 2FA is useless if your computer is compromised.
Vanguard already supports hardware token based auth and U2A I believe. No reason to prioritize a TOTP authenticator app on top of that which would be technically less secure. The real crux is Vanguard in the same breath also offers various different ways of account recovery along with said token. Still 2FA is better than no 2FA.

As I mentioned above several months ago you can harden your 2FA token with the nuclear option of selecting under Vanguard security settings "Restrict unrecognized computers, browsers, or mobile devices from accessing my accounts." which would limit you to customer service should you lose access. At that point the only main weakness left is phishing, however 2FA can't fix that. :beer

Attackers go the path of least resistance and are only as smart as they need to be. 9 out of 10 times when faced with a secure system the last and easiest thing to hack is the human on the other side of the screen/phone.

Even with phishing, 2FA wouldn't work unless they actually remotely use your computer to access to vanguard right after you authorize the computer.
You mentioned VG already supports token based auth and U2A. I would still feel more confident in using authenticator app since the generator key cannot be replicated or reused since it's not stored anywhere. That feels a lot more secure than a keychain generating numbers somewhere or however the token based or u2A works.

Some people think fingerprint is secure way to login to website, but most fingerprint softwares store the passwords in unencrypted (but lightly secured) files and all FP reader does is just type the password for you, since the websites don't authenticate your fingerprints.

For most people, who aren't doing active trading, more cumbersome but secure login is always welcome. For day-trades, anyone can use any app, and just keep vg for long term investments, in those cases it's Ok to go through few add'l steps to access your funds. We cannot always secure ourselves with so much going on, especially apps on phones, so the financial institutions must watch out for their clients. Limiting or preventing access from unrecognized devices or new location or requesting more information after 2-3 wrong password attempts are always great ways to help clients.

FlyingMoose
Posts: 387
Joined: Wed Mar 04, 2009 10:48 pm

Re: Two- Factor Authentication at Vanguard - Update

Post by FlyingMoose » Tue May 15, 2018 1:20 am

I tried to set up 2FA but I never receive the SMS in my magicJack app.

User avatar
pokebowl
Posts: 203
Joined: Sat Dec 17, 2016 7:22 pm
Location: The Orion Spur of the Milky Way galaxy.

Re: Two- Factor Authentication at Vanguard - Update

Post by pokebowl » Tue May 15, 2018 5:03 am

Gamma Ray wrote:
Tue May 15, 2018 1:03 am

You mentioned VG already supports token based auth and U2A. I would still feel more confident in using authenticator app since the generator key cannot be replicated or reused since it's not stored anywhere. That feels a lot more secure than a keychain generating numbers somewhere or however the token based or u2A works.
Re-reading my initial response I meant to type Universal 2nd Factor (U2F) not U2A (Whoops). U2F is technically the solution/successor to TOTP authentication apps, the reason being the authentication applications have already been beaten. Not in theory or a white paper but in active campaigns that utilize time-of-use phishing attacks (A one-time-password is still a password, and it can be disclosed to an attacker).

In the case of U2F, the device creates a public/private key pair for each site and burns the site's identity into the "Key Handle" that the site is supposed to use to request authentication. Then, that site identity is verified by the browser each time before any authentication is attempted. The site identity can even be tied to a specific TLS public key. Since it's a challenge-response protocol, replay is not possible either. Last if the server accidentally leaks your "Key Handle" in a breach, it still doesn't affect your security or reveal your identity.

Not saying U2F is a perfect solution, but its a step in the right direction compared to two factor of old (SecurID, Google Authenticator, email, phone, and SMS loops).
There is nothing more expensive than something offered for free.

gtd98765
Posts: 96
Joined: Sun Jan 08, 2017 4:15 am

Re: Two- Factor Authentication at Vanguard - Update

Post by gtd98765 » Tue May 15, 2018 2:47 pm

pokebowl wrote:
Tue May 15, 2018 5:03 am


Re-reading my initial response I meant to type Universal 2nd Factor (U2F) not U2A (Whoops). U2F is technically the solution/successor to TOTP authentication apps, the reason being the authentication applications have already been beaten. Not in theory or a white paper but in active campaigns that utilize time-of-use phishing attacks (A one-time-password is still a password, and it can be disclosed to an attacker).

I would love to see a link to an article reporting on how authentication apps have been beaten in the real world.

User avatar
pokebowl
Posts: 203
Joined: Sat Dec 17, 2016 7:22 pm
Location: The Orion Spur of the Milky Way galaxy.

Re: Two- Factor Authentication at Vanguard - Update

Post by pokebowl » Sat May 19, 2018 1:56 pm

gtd98765 wrote:
Tue May 15, 2018 2:47 pm

I would love to see a link to an article reporting on how authentication apps have been beaten in the real world.
If you want actual papers or presentations on the subject, here is a good one from Google. I can look up some additional ones later after work and post back. Real life examples that come to mind lately within the past year have been against crypto exchanges, however from google themselves on their own authentication app:
Phishing is one of the most common techniques hackers use to gain access to your account or personal information. For example, phishing emails or fake sign-in pages could trick you into revealing critical information, like your password.

To provide the strongest defense against phishing, Advanced Protection goes beyond traditional 2-Step Verification. You will need to sign into your account with a password and a physical Security Key. Other authentication factors, like codes sent via SMS or the Google Authenticator app, will no longer work.
There is nothing more expensive than something offered for free.

2015
Posts: 1951
Joined: Mon Feb 10, 2014 2:32 pm

Re: Two- Factor Authentication at Vanguard - Update

Post by 2015 » Sat May 19, 2018 2:53 pm

pokebowl wrote:
Sat May 19, 2018 1:56 pm
gtd98765 wrote:
Tue May 15, 2018 2:47 pm

I would love to see a link to an article reporting on how authentication apps have been beaten in the real world.
If you want actual papers or presentations on the subject, here is a good one from Google. I can look up some additional ones later after work and post back. Real life examples that come to mind lately within the past year have been against crypto exchanges, however from google themselves on their own authentication app:
Phishing is one of the most common techniques hackers use to gain access to your account or personal information. For example, phishing emails or fake sign-in pages could trick you into revealing critical information, like your password.

To provide the strongest defense against phishing, Advanced Protection goes beyond traditional 2-Step Verification. You will need to sign into your account with a password and a physical Security Key. Other authentication factors, like codes sent via SMS or the Google Authenticator app, will no longer work.
To provide important context to your Google quote from that same page regarding their GA app:
Advanced Protection Program
GET STARTED
Google’s strongest security for those who need it most
The Advanced Protection Program safeguards the personal Google Accounts of those most at risk of targeted attacks—like journalists, activists, business leaders, and political campaign teams.

User avatar
pokebowl
Posts: 203
Joined: Sat Dec 17, 2016 7:22 pm
Location: The Orion Spur of the Milky Way galaxy.

Re: Two- Factor Authentication at Vanguard - Update

Post by pokebowl » Sat May 19, 2018 3:33 pm

2015 wrote:
Sat May 19, 2018 2:53 pm

snip
Thanks for the clarification and further solidifying my original point with TOTP apps. That security token "For those who need it most" Vanguard supports today for us lesser people as well :D. if they would just omit the various fall back system, they would have proper 2FA.

Still as I also mentioned above just enabling 2FA is better than no 2FA. :beer
There is nothing more expensive than something offered for free.

wrongfunds
Posts: 1796
Joined: Tue Dec 21, 2010 3:55 pm

Re: Two- Factor Authentication at Vanguard - Update

Post by wrongfunds » Sat May 19, 2018 10:26 pm

Any authentication system is only as strong as its weakest fallback system :(

Pale Horse
Posts: 71
Joined: Tue Jul 16, 2013 2:43 pm

New Vanguard Security Code Requirement [2FA: Two-factor authentication]

Post by Pale Horse » Tue Jul 17, 2018 1:52 pm

[Thread merged into here. --admin LadyGeek]

Just got a notification that Vanguard is implementing mandatory 2 factor authentication procedures. I've worked in IT security and absolutely hate this feature. It's an overly burdensome solution to a problem easily mitigated with sufficiently-designed password parameters (read >12 characters with complexity requirements).

It also plays havoc on anyone with Mint or Quicken tracking software. Unlike most Bogleheads who look at their balance once a year, I actually do daily monitoring. Not to make changes or react, but just to monitor for unauthorized transactions or errors (across all financial accounts, not just retirement).

Sad to say, but will probably be transferring everything to Fidelity. This isn't the only reason to make the switch, just the straw that broke the camel's back.

heyeaglefn
Posts: 10
Joined: Thu Feb 08, 2018 4:20 pm

Re: New Vanguard Security Code Requirement

Post by heyeaglefn » Tue Jul 17, 2018 1:56 pm

Hate to say it but I think Fidelity will require it at some point too. It is the way the industry is going and their priority should be the safety of your account. It may impact some people but it will make everyone's account much more secure.

Texanbybirth
Posts: 951
Joined: Tue Apr 14, 2015 12:07 pm

Re: New Vanguard Security Code Requirement

Post by Texanbybirth » Tue Jul 17, 2018 1:58 pm

It's your prerogative, but I've had 2FA on my Vanguard account from day one and I've never had issues with Mint-syncing.

(Strangely, there is always a message on the bottom of our Mint homepage that SAYS there's an issue with Vanguard but the balance and transaction data is always updated. I think that's actually more of a Mint issue.)

runner3081
Posts: 1618
Joined: Mon Aug 22, 2016 3:22 pm

Re: New Vanguard Security Code Requirement

Post by runner3081 » Tue Jul 17, 2018 1:59 pm

This is pretty old news, they have been nagging about this at login for quite some time.

bondsr4me
Posts: 914
Joined: Fri Oct 18, 2013 7:08 am

Re: New Vanguard Security Code Requirement

Post by bondsr4me » Tue Jul 17, 2018 2:05 pm

not an IT guy here, so can't speak to the "technical" aspects of it.

I have been using VG's 2FA for quite a while now and I really like it.

I don't use use Mint or aggregators, so I could care less about that.

I also have a Fidelity account and I am hoping they will soon implement 2FA like VG's.

It's really quite simple to use.

nexesn
Posts: 43
Joined: Mon Jan 01, 2018 9:15 pm

Re: New Vanguard Security Code Requirement

Post by nexesn » Tue Jul 17, 2018 2:10 pm

Might be annoying, but vanguard is doing the right thing. I think in a few years you’re going to see more and more companies begin forcing people to implement the steps. Fortunately, Apple, and Microsoft are already trying to ease the burden by automatically capturing the 2FA code, once it’s received, and automatically placing it into the necessary request area. It’s already implemented on iOS 12, which I’m currently beta testing.

User avatar
John151
Posts: 378
Joined: Fri Mar 02, 2007 6:03 pm

Re: New Vanguard Security Code Requirement

Post by John151 » Tue Jul 17, 2018 2:19 pm

I prefer Treasury Direct’s authentication method: they send you a one-time passcode via email. But Vanguard’s authentication method isn’t too bad. They offer you a choice: you can have them require authentication every time you login to your account, or just when you’re logging in from a different computer. I chose the latter. I’ve logged in many times since then without having to authenticate again, because I’m using the same computer.

mouses
Posts: 3719
Joined: Sat Oct 24, 2015 12:24 am

Re: New Vanguard Security Code Requirement

Post by mouses » Tue Jul 17, 2018 2:27 pm

I prefer this. What I don't like about it is it only uses phone authentication, so the phone rings in the middle of the night. Then you have to listen to Miss Lisp for awhile, because the system isn't smart enough to recognize type-in early on in the process, unlike any place else I know of.

Post Reply