Page 2 of 2

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Posted: Mon May 04, 2020 10:21 am
by crumbone
HawkeyePierce wrote: Sun May 03, 2020 11:54 am
index2max wrote: Sat May 02, 2020 10:39 pm
HawkeyePierce wrote: Wed Apr 29, 2020 10:08 pm Good for Vanguard. :beer

2FA isn't "minimal" extra security, properly implemented it eliminates phishing attacks: https://security.googleblog.com/2019/05 ... basic.html

Now if Vanguard will just let customers use *only* Yubikeys without the phone fallback.
I read an article by the US National Institute of Standards and Technology (NIST) that 2FA using SMS is not foolproof because an attacker targeting you has ways of intercepting text messages.

But if it's based on simply plugging in a hardware device that only you own on your person, then the "something-you-have part of security is hard to beat.
"Properly implemented" was the key in my post. 2FA over SMS is vulnerable to SIM-swapping.

TOTP apps like Authy and Google Authenticator is better because the code can't be as easily intercepted, but *you* can still end up entering the code into a phishing site.

Hardware tokens like Yubikeys eliminate that risk because the key won't authenticate against fake websites. When you register a Yubikey with a website, the device generates a long random number based on the site's domain name and a secret key. The secret key is generated on the Yubikey and never leaves the device.

Since that long random number is based on the site's domain name, if you get tricked into logging into a phishing site, the key won't generate the same number, so the attacker can't just use it to log into Vanguard.

Any form of 2FA protects against what's known as "credential stuffing", where lists of known username/password pairs and tried en mass against other websites. They also raise the bar on phishing attacks but only Yubikeys prevent it.

The best defense against credential stuffing is a password manager which ensures you use a unique password for every website. This way, a password stolen from one website can't be used against another. Using the autofill function of a password manager also offers some protection against phishing, since the autofill won't work against fake domains. Eg if you somehow land on vangaurd.com instead of vanguard.com, the password manager won't autofill because the misspelled domain won't match.

My recommendation to vastly improve your cybersecurity:
  • Get at least two Yubikeys. Keep one on a keychain or somewhere convenient, keep the other in a safe location. I use a fireproof document safe.
  • Use Gmail and set up your Google account to require 2FA using either your Yubikeys or a push notification to your phone's Gmail app—both are safe against phishing. Also ensure you print out your backup 2FA codes and keep them somewhere safe (again, fireproof document safe).
  • Use a password manager for ALL websites, even if they don't seem that important to your security (social media, forums like Bogleheads, etc).
  • Install your password manager's browser extension. If a password won't autofill, be VERY suspicious.
  • Use Google Voice for SMS 2FA codes for sites that allow it, it's invulnerable to SIM swap attacks and you've already locked down your Google account.
  • Use Authy for generating 2FA codes. It's easier to use than Google Authenticator and makes it much easier to move your codes to a new device.
Your email account is the key to your kingdom. Locking it down is central to staying safe, since an attacker who can get into your email can likely use that to get into just about any other account (eg by using password recovery on other sites). At that point you'll be in great shape. If you want to go a few extra steps:
  • Sign up for USPS Informed Delivery before someone else does so you know if your mail goes missing.
  • Install the "HTTPS Everywhere" browser extension to ensure that your browsing is encrypted wherever possible.
  • Make sure your hard drive is encrypted. If you have a Mac, just enable FileVault and you're set. Very easy.
  • Keep your software up to date. When Windows or MacOS prompts you to update, do it. Keep your phone up to date and upgrade if it's no longer supported.
  • Install uBlock Origin to block ad networks from loading in your browser. Compromised ad networks are a relatively common attack vector for malware.
  • Make sure your phone requires a passcode or biometric to unlock. This way if it's stolen or lost it won't be easy to get into.
  • Same for your computer: require a password to unlock it.
This is all wonderful advice.

One I'd add, to go along with your recommendation to use a password manager: if a site forces you to select "security questions" to reset your password, instead of having the answers be autobiographical information, have them be randomly-generated nonsense, stored in your password manager.

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Posted: Mon May 04, 2020 1:23 pm
by crefwatch
So far, Vanguard's 2-factor policy allows persistent approval for a trusted computer. So I rarely have to have my phone beside by home desktop. And this persistence works much better than older (cookie-based???) permissions that disappear randomly (like for TIAA and T. Rowe Price.) I haven't found Vanguard's policy to be a problem. Yet.

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Posted: Tue May 05, 2020 6:55 am
by boomer_techie
MathWizard wrote: Mon May 04, 2020 9:31 am The app does not connect you to anything, it just produces a random code. It is useful if it is connected or not.
If you are worried, connect with your home encrypted wifi, and then turn off the wifi (or put it in airplane mode)
You can occasionally reconnect to set the time again.
Presumably Google Authenticator is a https://en.wikipedia.org/wiki/Time-base ... _algorithm - um, yes, you confirmed that up above. Thus the clock needs to be reasonably correct. If not, the system won't work. Hmmm, just checked the time on my old iPhone: After seven weeks of not being online, it is a minute fast. So the clock would need to be "fixed" weekly or biweekly.
HawkeyePierce wrote: Mon May 04, 2020 9:57 am If your device is locked and encrypted, which iPhones are by default, there is little to no risk in keeping important information on it.
I'm a computer programmer by trade. If someone can get their hands on a physical device, I don't trust the security on the device no matter how much Apple brags about secure elements and encryption. I find it simpler to just not do anything important on a device that I carry around all over.

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Posted: Tue May 05, 2020 10:13 am
by HawkeyePierce
boomer_techie wrote: Tue May 05, 2020 6:55 am
HawkeyePierce wrote: Mon May 04, 2020 9:57 am If your device is locked and encrypted, which iPhones are by default, there is little to no risk in keeping important information on it.
I'm a computer programmer by trade. If someone can get their hands on a physical device, I don't trust the security on the device no matter how much Apple brags about secure elements and encryption. I find it simpler to just not do anything important on a device that I carry around all over.
I don't want others following this thread to believe this is a reasonable precaution. It's absolutely not.

Carrying around a phone that has Authy or Google Authenticator on it poses such negligible risk that it's not worth worrying about. Think through the threat model: someone steals your phone, or you leave it at a Starbucks. Let's say you're right for the moment and Apple screwed up their crypto implementation. Now someone has your 2FA codes. They still don't have your passwords! The other factor saved you! It won't take you long to realize you've lost your phone, at which point you can contact your financial institutions etc and revoke those codes.

Fortunately Apple *didn't* screw up their crypto implementation, the data on your phone is *exceptionally* safe and this is not a scenario worth worrying about.

(I'm also a software engineer and I work closely with a world-class security team at my company. This is not something they worry about)

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Posted: Tue May 05, 2020 5:10 pm
by Silence Dogood
There is essentially no reasonable security threat from using an authentication app on a smartphone.

Having said that, I limit the financial apps on my smartphone to mitigate the risk of user and/or behavioral error, which is always a possibility. :wink:

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Posted: Tue May 05, 2020 5:12 pm
by jebmke
Silence Dogood wrote: Tue May 05, 2020 5:10 pm There is essentially no reasonable security threat from using an authentication app on a smartphone.

Having said that, I limit the financial apps on my smartphone to mitigate the risk of user and/or behavioral error, which is always a possibility. :wink:
Same here. I'm never away from home for more than a couple of weeks so there really isn't a compelling reason to use the mobile device.

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Posted: Tue May 05, 2020 5:40 pm
by HawkeyePierce
I consider accessing a financial institution via their app to be *more* secure than using their website, especially on an iPhone. You can't get phished, the OS guarantees all communications are encrypted, no risk of rogue browser extensions stealing data.

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Posted: Tue May 05, 2020 10:20 pm
by ftobin
HawkeyePierce wrote: Tue May 05, 2020 5:40 pm I consider accessing a financial institution via their app to be *more* secure than using their website, especially on an iPhone. You can't get phished, the OS guarantees all communications are encrypted, no risk of rogue browser extensions stealing data.
There are other nuanced considerations. For example, I use a password manager for every account I have. Using Firefox's built-in password manager, I'm guaranteed I only submit the password to the correct site. Using a password manager with mobile apps generally requires a cumbersome and insecure process of using an independent password manger to copy a password to the clipboard and then paste into the app. Any app can read from the clipboard during this time. On Android there are keyboard-based password entry approaches, but in general, the password is available for anything to sniff it out.

Obviously, I can't get phished using Firefox either, given the safeguards it has built-in. I'd have to go out of my way to submit a password to the wrong site.

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Posted: Tue May 05, 2020 11:06 pm
by ARoseByAnyOtherName
ftobin wrote: Tue May 05, 2020 10:20 pm
HawkeyePierce wrote: Tue May 05, 2020 5:40 pm I consider accessing a financial institution via their app to be *more* secure than using their website, especially on an iPhone. You can't get phished, the OS guarantees all communications are encrypted, no risk of rogue browser extensions stealing data.
There are other nuanced considerations. For example, I use a password manager for every account I have. Using Firefox's built-in password manager, I'm guaranteed I only submit the password to the correct site. Using a password manager with mobile apps generally requires a cumbersome and insecure process of using an independent password manger to copy a password to the clipboard and then paste into the app.
Not on iOS. Password managers are integrated with most app authentication prompts. They mostly auto fill like websites.

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Posted: Wed May 06, 2020 7:25 pm
by Silence Dogood
HawkeyePierce wrote: Tue May 05, 2020 5:40 pm I consider accessing a financial institution via their app to be *more* secure than using their website, especially on an iPhone. You can't get phished, the OS guarantees all communications are encrypted, no risk of rogue browser extensions stealing data.
I agree. (Was this in response to my post?)

As I wrote in another thread, about this same topic:
...I only access my Vanguard account via my desktop computer. I have my online account set to "only allow recognized devices" and only my desktop computer is recognized.

Not having easy - 24/7 - access to my account via my phone reduces my chances of doing something stupid. It takes effort for me to access my online account. I can't do it while I'm half-asleep in the middle of the night and I can't do it while I'm out at a bar with friends.

To be clear, I highly doubt this will ever be an issue. It has never been an issue in the past.

Yet, it's probably still more likely to happen than the unlikely chance that my account gets hacked.
Besides, like jebmke, I personally don't feel like I have a compelling reason to use certain financial apps. Why would I need to check my retirement account when I'm out and about?

I use two different credit cards and I do have the apps for those, so I'm not against it if a compelling reason exists. If I wanted to (I rarely do), I could view a recent transaction and there is a low-risk/limit of doing anything stupid.

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Posted: Thu May 07, 2020 4:25 pm
by Gadget
ftobin wrote: Sun May 03, 2020 2:08 am
dmcmahon wrote: Sun May 03, 2020 12:51 am Fidelity too
Unfortunately, for Fidelity, if you enable app TOTP 2FA, you have to use it on each login. If you simply use SMS-based 2FA, you can choose to enter it only when logging in from new devices. While I strongly prefer TOTP 2FA, I don't want to have to enter it all the time. Poor (lack of) design decision on their part, IMO.
Does Fidelity support standard TOTP 2FA now? As in, I can save the TOTP code in 1Password and 1Password will automatically fill it in for me after it autofills my username/password?

Last I checked on Fidelity, they only supported 2FA via some silly 3rd party McAfee authenticator app. But maybe I didn't click far enough to find it was a standard QR code.

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Posted: Fri May 08, 2020 11:33 am
by Faith20879
absolute zero wrote: Sat May 02, 2020 9:43 pm If you have a gmail account or PayPal account, those would be two example of websites that allow for the use of authenticator apps. It’s pretty convenient and more secure than SMS for 2FA.
I do have a gmail account and use it often. It has a straightforward login process - goto the website, type in the email address and give my password and voila I am in. I am still not grasping how it is different from a App-based 2FA. Is it that if I were using a gmail app, there is a different kind of 2FA procedure?

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Posted: Fri May 08, 2020 11:43 am
by HawkeyePierce
Faith20879 wrote: Fri May 08, 2020 11:33 am
absolute zero wrote: Sat May 02, 2020 9:43 pm If you have a gmail account or PayPal account, those would be two example of websites that allow for the use of authenticator apps. It’s pretty convenient and more secure than SMS for 2FA.
I do have a gmail account and use it often. It has a straightforward login process - goto the website, type in the email address and give my password and voila I am in. I am still not grasping how it is different from a App-based 2FA. Is it that if I were using a gmail app, there is a different kind of 2FA procedure?
Sounds like you haven't enabled 2FA on your Google account. You should do so. Google supports every 2FA method under the sun.

You can choose for app-based, where an app generates a six-digit code that rotates every minute.

You can go push-based, where a login on one client (eg your computer) pushes a prompt to another client (the Gmail app on your phone) to confirm the request is you.

You can go for a hardware token, where you plug in a Yubikey to authenticate.

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Posted: Fri May 08, 2020 12:00 pm
by absolute zero
Faith20879 wrote: Fri May 08, 2020 11:33 am
absolute zero wrote: Sat May 02, 2020 9:43 pm If you have a gmail account or PayPal account, those would be two example of websites that allow for the use of authenticator apps. It’s pretty convenient and more secure than SMS for 2FA.
I do have a gmail account and use it often. It has a straightforward login process - goto the website, type in the email address and give my password and voila I am in. I am still not grasping how it is different from a App-based 2FA. Is it that if I were using a gmail app, there is a different kind of 2FA procedure?
Your current system utilizes a password as it’s security measure. That is definitely straightforward and simple. But it’s just 1 layer of security. 2FA methods represent a second layer of security, in addition to the password.

In the case of an authenticator app (just an example form of 2FA) the steps are:

1. Go to gmail’s website on your computer.
2. Enter username and password.
3. Open up your authenticator app on your phone. Can be google Authenticator app, or can be a similar app from a number of other companies (totally unrelated to gmail).
4. Read the code shown in the app and enter it into the gmail box on your computer where it requests the code.
5. You’re made it into your gmail account.

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Posted: Fri May 08, 2020 12:29 pm
by Faith20879
HawkeyePierce wrote: Fri May 08, 2020 11:43 am
Sounds like you haven't enabled 2FA on your Google account. You should do so. Google supports every 2FA method under the sun.

You can choose for app-based, where an app generates a six-digit code that rotates every minute.
I think I finally see the light. Will get on Google to set it. Thanks for the enlightenment.

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Posted: Fri May 08, 2020 12:33 pm
by mptfan
Faith20879 wrote: Fri May 08, 2020 11:33 am I do have a gmail account and use it often. It has a straightforward login process - goto the website, type in the email address and give my password and voila I am in. I am still not grasping how it is different from a App-based 2FA. Is it that if I were using a gmail app, there is a different kind of 2FA procedure?
Watch this video...

https://www.youtube.com/watch?v=zMabEyrtPRg

The video is from 2011 and the software has been updated since then, but the principles are the same.

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Posted: Mon Sep 14, 2020 6:05 pm
by sfly510
Logged into Vanguard via Firefox today and was greeted with a prompt to press my Fido-U2F enabled Yubikey. Previously this had only worked for me with Chrome, despite multiple past attempts to trick the vanguard site into believing I was using Chrome via the User Agent string. Looks like Firefox is finally supported by Vanguard for Fido-U2F!

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Posted: Mon Sep 14, 2020 8:40 pm
by Samosa22
HawkeyePierce wrote: Tue May 05, 2020 5:40 pm
My recommendation to vastly improve your cybersecurity:
Thanks for your wonderful recommendations. Very helpful, especially to people like me who are still using SMS based 2FA...time to buy ubikeys.
HawkeyePierce wrote: Tue May 05, 2020 5:40 pm I consider accessing a financial institution via their app to be *more* secure than using their website, especially on an iPhone. You can't get phished, the OS guarantees all communications are encrypted, no risk of rogue browser extensions stealing data.
One serious question: Suppose a person frequently uses an iPhone to access financial institutions via their apps, but s/he also uses the same iPhone to visit porn sites through a private browser mode. How vulnerable such iPhone is to hacking attempts? If one has to assign a security-risk score on a scale of 1-10 (with 10 being the most vulnerable) what score would such an iPhone receive?

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Posted: Tue Sep 15, 2020 11:35 pm
by HawkeyePierce
Samosa22 wrote: Mon Sep 14, 2020 8:40 pm
HawkeyePierce wrote: Tue May 05, 2020 5:40 pm
My recommendation to vastly improve your cybersecurity:
Thanks for your wonderful recommendations. Very helpful, especially to people like me who are still using SMS based 2FA...time to buy ubikeys.
HawkeyePierce wrote: Tue May 05, 2020 5:40 pm I consider accessing a financial institution via their app to be *more* secure than using their website, especially on an iPhone. You can't get phished, the OS guarantees all communications are encrypted, no risk of rogue browser extensions stealing data.
One serious question: Suppose a person frequently uses an iPhone to access financial institutions via their apps, but s/he also uses the same iPhone to visit porn sites through a private browser mode. How vulnerable such iPhone is to hacking attempts? If one has to assign a security-risk score on a scale of 1-10 (with 10 being the most vulnerable) what score would such an iPhone receive?
This scenario would not worry me.

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Posted: Wed Sep 16, 2020 12:13 am
by JBTX
Gadget wrote: Thu May 07, 2020 4:25 pm
ftobin wrote: Sun May 03, 2020 2:08 am
dmcmahon wrote: Sun May 03, 2020 12:51 am Fidelity too
Unfortunately, for Fidelity, if you enable app TOTP 2FA, you have to use it on each login. If you simply use SMS-based 2FA, you can choose to enter it only when logging in from new devices. While I strongly prefer TOTP 2FA, I don't want to have to enter it all the time. Poor (lack of) design decision on their part, IMO.
Does Fidelity support standard TOTP 2FA now? As in, I can save the TOTP code in 1Password and 1Password will automatically fill it in for me after it autofills my username/password?

Last I checked on Fidelity, they only supported 2FA via some silly 3rd party McAfee authenticator app. But maybe I didn't click far enough to find it was a standard QR code.
Is there some problem with McAfee authenticator?

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Posted: Wed Sep 16, 2020 7:23 am
by mptfan
Samosa22 wrote: Mon Sep 14, 2020 8:40 pm One serious question: Suppose a person frequently uses an iPhone to access financial institutions via their apps, but s/he also uses the same iPhone to visit porn sites through a private browser mode.
Are you asking for a friend? lol

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Posted: Wed Sep 16, 2020 10:51 am
by sfly510
JBTX wrote: Wed Sep 16, 2020 12:13 am
Gadget wrote: Thu May 07, 2020 4:25 pm
ftobin wrote: Sun May 03, 2020 2:08 am
dmcmahon wrote: Sun May 03, 2020 12:51 am Fidelity too
Unfortunately, for Fidelity, if you enable app TOTP 2FA, you have to use it on each login. If you simply use SMS-based 2FA, you can choose to enter it only when logging in from new devices. While I strongly prefer TOTP 2FA, I don't want to have to enter it all the time. Poor (lack of) design decision on their part, IMO.
Does Fidelity support standard TOTP 2FA now? As in, I can save the TOTP code in 1Password and 1Password will automatically fill it in for me after it autofills my username/password?

Last I checked on Fidelity, they only supported 2FA via some silly 3rd party McAfee authenticator app. But maybe I didn't click far enough to find it was a standard QR code.
Is there some problem with McAfee authenticator?
It's actually Symantec VIP that Fidelity uses. For the technologically savvy, you can mimic the request to Symantec and take the resultant secret key and plug it into anything that supports TOTP. Someone also created a Docker image which can handle the request, if you trust not doing it manually.

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Posted: Wed Sep 16, 2020 12:28 pm
by JBTX
At the risk of being a luddite, how would I use an authenticator like Authy? For what? I don't think they can be used at financial sites. Where could they be used where it actually matters?

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Posted: Wed Sep 16, 2020 12:30 pm
by JBTX
sfly510 wrote: Wed Sep 16, 2020 10:51 am
JBTX wrote: Wed Sep 16, 2020 12:13 am
Gadget wrote: Thu May 07, 2020 4:25 pm
ftobin wrote: Sun May 03, 2020 2:08 am
dmcmahon wrote: Sun May 03, 2020 12:51 am Fidelity too
Unfortunately, for Fidelity, if you enable app TOTP 2FA, you have to use it on each login. If you simply use SMS-based 2FA, you can choose to enter it only when logging in from new devices. While I strongly prefer TOTP 2FA, I don't want to have to enter it all the time. Poor (lack of) design decision on their part, IMO.
Does Fidelity support standard TOTP 2FA now? As in, I can save the TOTP code in 1Password and 1Password will automatically fill it in for me after it autofills my username/password?

Last I checked on Fidelity, they only supported 2FA via some silly 3rd party McAfee authenticator app. But maybe I didn't click far enough to find it was a standard QR code.
Is there some problem with McAfee authenticator?
It's actually Symantec VIP that Fidelity uses. For the technologically savvy, you can mimic the request to Symantec and take the resultant secret key and plug it into anything that supports TOTP. Someone also created a Docker image which can handle the request, if you trust not doing it manually.
I have no idea what any of that means. Is what you describe a real problem or just a theoretical weakness that practically never happens?

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Posted: Wed Sep 16, 2020 3:39 pm
by sfly510
JBTX wrote: Wed Sep 16, 2020 12:30 pm I have no idea what any of that means. Is what you describe a real problem or just a theoretical weakness that practically never happens?
Most of my reply was addressing Gadget's concern about the dependency on Symantec VIP. The workaround is a one-time step which mimics the Symantec VIP app calling out to the Symantec VIP server, and can be used to set up TOTP for Fidelity (or Schwab or any other entity which uses Symantec VIP) using any other TOTP capable system, e.g. a Yubikey, Authy, Google Authenticator, Bitwarden, 1Password, etc.

Personally I added the TOTP secret key(s) to my Yubikey because I prefer the hardware security it offers, with the obvious caveat that the secret key is (securely) transferred over the internet during the one-time setup.

For reference:

https://www.cyrozap.com/2014/09/29/reve ... -protocol/
https://hub.docker.com/r/kayvan/vipaccess/
https://www.mjt.me.uk/posts/yubikey-sym ... ip-access/

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Posted: Wed Sep 16, 2020 5:06 pm
by CCD
sfly510 wrote: Wed Sep 16, 2020 3:39 pm
JBTX wrote: Wed Sep 16, 2020 12:30 pm I have no idea what any of that means. Is what you describe a real problem or just a theoretical weakness that practically never happens?
Most of my reply was addressing Gadget's concern about the dependency on Symantec VIP. The workaround is a one-time step which mimics the Symantec VIP app calling out to the Symantec VIP server, and can be used to set up TOTP for Fidelity (or Schwab or any other entity which uses Symantec VIP) using any other TOTP capable system, e.g. a Yubikey, Authy, Google Authenticator, Bitwarden, 1Password, etc.

Personally I added the TOTP secret key(s) to my Yubikey because I prefer the hardware security it offers, with the obvious caveat that the secret key is (securely) transferred over the internet during the one-time setup.

For reference:

https://www.cyrozap.com/2014/09/29/reve ... -protocol/
https://hub.docker.com/r/kayvan/vipaccess/
https://www.mjt.me.uk/posts/yubikey-sym ... ip-access/
Is there an easy way to do this for non-programmers? :(

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Posted: Wed Sep 16, 2020 5:13 pm
by abuss368
Good for Vanguard and enhanced security. I am surprised it has taken this long.

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Posted: Wed Sep 16, 2020 6:39 pm
by sfly510
CCD wrote: Wed Sep 16, 2020 5:06 pm
sfly510 wrote: Wed Sep 16, 2020 3:39 pm
JBTX wrote: Wed Sep 16, 2020 12:30 pm I have no idea what any of that means. Is what you describe a real problem or just a theoretical weakness that practically never happens?
Most of my reply was addressing Gadget's concern about the dependency on Symantec VIP. The workaround is a one-time step which mimics the Symantec VIP app calling out to the Symantec VIP server, and can be used to set up TOTP for Fidelity (or Schwab or any other entity which uses Symantec VIP) using any other TOTP capable system, e.g. a Yubikey, Authy, Google Authenticator, Bitwarden, 1Password, etc.

Personally I added the TOTP secret key(s) to my Yubikey because I prefer the hardware security it offers, with the obvious caveat that the secret key is (securely) transferred over the internet during the one-time setup.

For reference:

https://www.cyrozap.com/2014/09/29/reve ... -protocol/
https://hub.docker.com/r/kayvan/vipaccess/
https://www.mjt.me.uk/posts/yubikey-sym ... ip-access/
Is there an easy way to do this for non-programmers? :(
I wouldn't say there's an "easy" way.

Perhaps the easiest way:
  1. Install Python on your computer - e.g. for Windows https://www.python.org/ftp/python/3.8.5 ... -amd64.exe
  2. From a command line run

    Code: Select all

    pip install image lxml oath PyCrypto qrcode requests
  3. From a command line run

    Code: Select all

    pip install python-vipaccess
  4. From a command line run

    Code: Select all

    vipaccess
Feel free to PM me if you want more details.

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Posted: Fri Sep 18, 2020 12:58 pm
by ErRyTour
HawkeyePierce wrote: Sun May 03, 2020 11:54 am My recommendation to vastly improve your cybersecurity:
  • Get at least two Yubikeys. Keep one on a keychain or somewhere convenient, keep the other in a safe location. I use a fireproof document safe.
  • Use Gmail and set up your Google account to require 2FA using either your Yubikeys or a push notification to your phone's Gmail app—both are safe against phishing. Also ensure you print out your backup 2FA codes and keep them somewhere safe (again, fireproof document safe).
Agree with everything you wrote, but feel these two should have some revision:

- have another Yubikey kept off-site. A fireproof safe becomes proof of a fire if the fire burns long enough.
- don't create backup TOTP 2FA codes. They only serve as another entry point. Just keep the original 2FA code tucked away and use it to re-seed a new device.

One more thing - when the site says do you want to remember this computer - always say no.

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Posted: Fri Sep 18, 2020 2:15 pm
by otinkyad
ftobin wrote: Sun May 03, 2020 2:08 am Unfortunately, for Fidelity, if you enable app TOTP 2FA, you have to use it on each login. If you simply use SMS-based 2FA, you can choose to enter it only when logging in from new devices. While I strongly prefer TOTP 2FA, I don't want to have to enter it all the time. Poor (lack of) design decision on their part, IMO.
That’s a feature, not a bug. If you get to choose whether to remember a device, you will sometimes choose poorly by accident. I never save cookies for financial sites, so that’s how everything behaves for me.

Re: Vanguard 2-factor authentication becoming mandatory and available for non-US

Posted: Sat Sep 26, 2020 10:03 pm
by Samosa22
HawkeyePierce wrote: Tue Sep 15, 2020 11:35 pm My recommendation to vastly improve your cybersecurity:
Thanks again for your wonderful recommendations! I have now purchased two Yubikeys, enrolled my as well as DW's google account in advance protection program (using the same two yubikeys), and have removed our phone numbers as account recovery method. So, both accounts are now locked down. Questions;

1. My account still has DW's gmail as a recovery methods, and DW's account has my gmail as a recovery method. Is this okey since each recovery account is "locked down" in itself? Or should we remove recovery option altogether?

2. Can my account be still recovered using backup codes that I created previously? Or are those codes null and void as along as I am enrolled in advance protection program.

3. While enrolling in this program I noticed that one of the disclaimers was that if you get locked out of your account it may take 3-5 days to regain account access. I wonder how would google verify my identity and restore my account in case I get locked out? This seems like a potential weakness that someone can use to takeover the account.

Thanks for your help!