Vanguard Yubikey-only option?

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Locked
User avatar
blaugranamd
Posts: 558
Joined: Wed Apr 11, 2012 1:57 pm
Location: D-lux apt in the sky

Vanguard Yubikey-only option?

Post by blaugranamd » Fri Mar 10, 2017 8:40 pm

Hey all,

Recently got turned on to two-factor authentication and have converted all my finance accounts over to it. Vanguard offers the Yubikey option, which is different than the Symantec VIP software key some of my other accounts use. Seems like a great option, so I got a Yubikey in today set it up and sure enough works great. However, I have read a number of security threads talking about how hardware/software key is more secure than SMS codes. I cannot find a way on VGs website to force only security key option and the security code (SMS) option seems like it must stay active if you have a security key. While it's not a huge issue, isn't the least secure option to login the only one that matters? IE: if all you have to do to circumvent the security key is click the "send security code" option then all the Yubikey really does is allow me to avoid getting SMS messages and not really improve security.

Thoughts or am I missing something obvious in the settings? :confused
-- Don't mistake more funds for more diversity: Total Int'l + Total Market = 7k to 10k stocks -- | -- Market return does NOT = average nor 50th percentile, rather 80-90th percentile long term ---

Choy
Posts: 361
Joined: Mon Sep 27, 2010 9:56 pm

Re: Vanguard Yubikey-only option?

Post by Choy » Fri Mar 10, 2017 8:43 pm

You're exactly correct.

It also boggles my mind how some sites require you to have a complex password, but then encourage you to set "security questions" to reset said complex password. Why bother to crack a complex password when I can just look up your wife's maiden name and what street you grew up on?

Edit: Many people have commented on my original comment about security questions. Yes, you can make up whatever you want, but my point is that instiutions are encouraging less secure practices. People should not have to think or even be aware of a work-around to a bad security practice. It should not even be offered as an option.
Last edited by Choy on Sun Mar 12, 2017 1:14 pm, edited 1 time in total.

User avatar
blaugranamd
Posts: 558
Joined: Wed Apr 11, 2012 1:57 pm
Location: D-lux apt in the sky

Re: Vanguard Yubikey-only option?

Post by blaugranamd » Fri Mar 10, 2017 8:45 pm

Well that's a bummer. Now I just have this $15 convenience feature. Actually might be less convenient since I have my phone on me all the time to get SMS and the Yubikey will probably get tucked away in the office or safe... :annoyed
-- Don't mistake more funds for more diversity: Total Int'l + Total Market = 7k to 10k stocks -- | -- Market return does NOT = average nor 50th percentile, rather 80-90th percentile long term ---

enki
Posts: 100
Joined: Sun Mar 29, 2015 8:51 am

Re: Vanguard Yubikey-only option?

Post by enki » Fri Mar 10, 2017 10:17 pm

I think we need to break down your question down a bit more.

Is Yubikey secure? Yes. The technology behind it has been pretty thoroughly tested and is a secure authentication mechanism. Additionally, Yubikey itself has a lot of integration options, which makes it a pretty handy method of authenticating to a number of services.

Are SMS messages secure? Not really. The protocol was never designed for security. It was a backend system used internally by the carriers initially until they realized that they could extend it as a consumer product and, at least in the beginning, use it as a source of revenue. There have been numerous instances where the underlying systems that handles SMS messaging could be compromised with SMS messages being intercepted.

Does it really matter? That depends. Just because something is not inherently secure does not mean that it poses a risk to you. Sure, given the option, I would pick a Yubikey over SMS (though the latter has a major advantage when you have your phone and forget your Yubikey and need to login somewhere). But in the end, are you a big enough target where someone would actually exploit the SMS system in order to intercept your authentication message? If this was sensitive government/corporate access or we were talking about a seriously large amount of money, the answer might be yes. But if we're talking about a traditional retirement/brokerage account, fortunately it is most likely no.

Like most things, it can be seen as more of a deterrent. Even SMS alone is an extra level of security that will either stop an attack or make it extremely inconvenient to compromise your account. A typical door lock is not secure, but that doesn't mean you shouldn't have one, nor does it mean you should invest in bullet proof windows and a reinforced steel exterior door system.

Most importantly, having some form of two factor, even if it is a combination of Yubikey/SMS, is better than just a username and password.

enki
Posts: 100
Joined: Sun Mar 29, 2015 8:51 am

Re: Vanguard Yubikey-only option?

Post by enki » Fri Mar 10, 2017 10:23 pm

Additionally, in regards to security questions, the recommended approach is to:
1) Have unique answers to every site.
2) Have the answers be completely unrelated to the question at hand.
e.g.: What city were you born? Banana

Using password management systems like LastPass allow you to save notes for each site that you can document the questions and corresponding answers. They should not be the actual answers, at least nothing that could be easily obtained from public records or guessed.

The biggest weaknesses in website authentication are convenience and user error. If an authentication system is too complex, no one will use it. People will inevitably forget their passwords and there needs to be some mechanism for recovery that, once again, isn't too complex or burdensome (both on the user nor the company. The traditional Q/A is a horrible approach. Email recovery is a bit better, but if the email account is compromised, there goes your security for EVERYTHING attached to it. In fact, people should secure their email accounts with the utmost care and concern, as it is the gateway to everything. So far, we haven't really come up with a globally accepted "perfect solution", nor anything that comes close. Hopefully that will change in the future, but there will always be weaknesses that can be exploited.

User avatar
blaugranamd
Posts: 558
Joined: Wed Apr 11, 2012 1:57 pm
Location: D-lux apt in the sky

Re: Vanguard Yubikey-only option?

Post by blaugranamd » Sat Mar 11, 2017 12:12 am

Enki

I agree that having SMS/Yubikey is superior to username and password. What I don't get is why there's no option to disable SMS once you have a Yubikey. It makes getting the Yubikey is pointless other than if you happen to have Yubikey with you instead of your phone. Otherwise it's probably more convenient to get an SMS most of the time and if the SMS is the bigger weakness, having a Yubikey doesn't improve your security since you can't eliminate a less secure protocol by obtaining one. That's all.
-- Don't mistake more funds for more diversity: Total Int'l + Total Market = 7k to 10k stocks -- | -- Market return does NOT = average nor 50th percentile, rather 80-90th percentile long term ---

User avatar
VictoriaF
Posts: 18630
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: Vanguard Yubikey-only option?

Post by VictoriaF » Sat Mar 11, 2017 1:58 pm

I have just found this discussion. Before I did, I posted some related questions in this Bogleheads thread:
viewtopic.php?f=11&t=213356&start=50#p3277004
In another thread VictoriaF wrote:I did a quick search on password managers and related security issues. According to what I've read, LastPass and Dashlane can be authenticated with YubiKey as a 2nd factor. My search was not too deep and so my questions that follow are intended to get better information:

1. Is YubiKey the best currently available hardware token?
My quick search has not brought up any comparable devices but I may not have searched widely enough.

2. Does/will YubiKey work with KeePass?
The sources I found seem to indicate that it does not, but I'd like to verify this.

3. What other services accept YubiKey as the 2nd factor?
I found: Google, Dropbox, Facebook, LastPass, Dashlane, and WordPress. I am curious if Vanguard, Fidelity, and various banks and credit unions do or will support YubiKey.
This thread indicates that YubiKey can be used for Vanguard 2FA, but only in conjunction with SMS. How does it work? You must provide your regular Vanguard user name and password, then insert YubiKey, and then additionally receive an SMS message on your phone with a code for YubiKey?

Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

ericmc
Posts: 23
Joined: Sat Feb 20, 2016 1:24 pm

Re: Vanguard Yubikey-only option?

Post by ericmc » Sat Mar 11, 2017 2:11 pm

This thread indicates that YubiKey can be used for Vanguard 2FA, but only in conjunction with SMS. How does it work? You must provide your regular Vanguard user name and password, then insert YubiKey, and then additionally receive an SMS message on your phone with a code for YubiKey?

Victoria
Unfotrunately with Vanguard if you select multi factor authentication (Yubikey is one) you also have to enable SMS. If you use multi factor SMS is enabled so you can authenticate by Yubikey or SMS. You don't have the ability to remove SMS as an option.

I completely agree with Enki's posts.

Lynette
Posts: 1805
Joined: Sun Jul 27, 2014 9:47 am

Re: Vanguard Yubikey-only option?

Post by Lynette » Sat Mar 11, 2017 2:38 pm

Recently I lost my cellphone - my fault - big hassle - could not find it - got a new one, new number and changed my passwords. I had my cell phone password protected but I try to minimize use of my phone for financial and sensitive information. Of course, I'm more careful about making sure I have my cellphone with me after leaving a store etc.

TravelGeek
Posts: 2457
Joined: Sat Oct 25, 2014 3:23 pm

Re: Vanguard Yubikey-only option?

Post by TravelGeek » Sat Mar 11, 2017 3:37 pm

Choy wrote: It also boggles my mind how some sites require you to have a complex password, but then encourage you to set "security questions" to reset said complex password. Why bother to crack a complex password when I can just look up your wife's maiden name and what street you grew up on?
It boggles my mind how people answer those "security questions" truthfully. :shock: :D

TravelGeek
Posts: 2457
Joined: Sat Oct 25, 2014 3:23 pm

Re: Vanguard Yubikey-only option?

Post by TravelGeek » Sat Mar 11, 2017 3:40 pm

ericmc wrote:
Unfotrunately with Vanguard if you select multi factor authentication (Yubikey is one) you also have to enable SMS. If you use multi factor SMS is enabled so you can authenticate by Yubikey or SMS. You don't have the ability to remove SMS as an option.

I completely agree with Enki's posts.
We should perhaps all write or call Vanguard and suggest this improvement.

User avatar
Epsilon Delta
Posts: 7433
Joined: Thu Apr 28, 2011 7:00 pm

Re: Vanguard Yubikey-only option?

Post by Epsilon Delta » Sat Mar 11, 2017 3:47 pm

While I generally agree with Enki's post there are some nuances.

While security questions can often be easily guessed they usually cannot be used to make immediate transactions. Most institutions impose a couple of weeks delay and send multiple notifications after a password reset. So knowing your mothers maiden name is not exactly like knowing your password. It's still the weakest link but it's a little stronger than at first blush.

Similarly with having both SMS and Yubikey. They may be the same now, but that could change in the future. For example if it becomes known that SMS messages are being attacked to gain access to accounts this could be disabled. This would inconvenience a lot of people, but it would inconvenience people with Yubikeys less.

The argument that people should answer security questions untruthfully is morally wrong. It just enables bad security practice rather than actually making things better. The only ethical response is to pressure the institutions to get rid of security questions.

enki
Posts: 100
Joined: Sun Mar 29, 2015 8:51 am

Re: Vanguard Yubikey-only option?

Post by enki » Sat Mar 11, 2017 4:23 pm

I don't know of any online service, be it financial or otherwise, that imposes any significant form of delay between the unlocking of an account (or similar password reset) and being able to have full control of the options offered. I imagine some might have internal security monitoring that looks for risks and could flag certain types of activity (e.g. reset password followed immediately by wiring $100k to Nigeria), but that doesn't necessarily ensure protection or even imply it. I certainly can't think of any situation where an account is locked down for a "couple weeks".

While I would agree that an attacker having a password is better (for them) than being able to guess the security questions, the latter will still allow them to have the former, with all the benefits. There have been countless examples of people who had their financial accounts breached based on someone getting access to their email and/or security questions. Those people had their money stolen successfully, so I think my earlier point stands. As I mentioned above, if your email account is compromised, as the saying is, there goes the neighborhood. Also, even if people have your password, many sites, where security is important, will automatically ask you for secondary (Q/A) authentication if logins are coming from a new location, so an attacker will likely need both.

I am completely baffled in how you could say or think that falsely answering security questions is in any way "immoral" or "unethical". First, in most if not all cases, you have no choice but to answer them. So any thought to protest their insecurity by omitting them goes out the window. If you want to send emails or make complaints about their use, that's great. It's unlikely anything would change until the industry as a whole wakes up. But if you know enough to understand the risks, going along with the program with honest answers is just, no offense, foolish. You are not legally, morally, ethically or any other -ally required to answer them with accurate responses.

User avatar
blaugranamd
Posts: 558
Joined: Wed Apr 11, 2012 1:57 pm
Location: D-lux apt in the sky

Re: Vanguard Yubikey-only option?

Post by blaugranamd » Sat Mar 11, 2017 4:33 pm

Epsilon Delta wrote:The argument that people should answer security questions untruthfully is morally wrong.
Lol, wut???? :shock: :confused :oops:
-- Don't mistake more funds for more diversity: Total Int'l + Total Market = 7k to 10k stocks -- | -- Market return does NOT = average nor 50th percentile, rather 80-90th percentile long term ---

User avatar
VictoriaF
Posts: 18630
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: Vanguard Yubikey-only option?

Post by VictoriaF » Sat Mar 11, 2017 4:43 pm

TravelGeek wrote:
ericmc wrote:Unfotrunately with Vanguard if you select multi factor authentication (Yubikey is one) you also have to enable SMS. If you use multi factor SMS is enabled so you can authenticate by Yubikey or SMS. You don't have the ability to remove SMS as an option.

I completely agree with Enki's posts.
We should perhaps all write or call Vanguard and suggest this improvement.
We definitely should write and call Vanguard about it. We should also bring it up at the next Bogleheads annual conference during a Vanguard visit.

Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

User avatar
VictoriaF
Posts: 18630
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: Vanguard Yubikey-only option?

Post by VictoriaF » Sat Mar 11, 2017 4:54 pm

enki wrote:
Epsilon Delta wrote:The argument that people should answer security questions untruthfully is morally wrong. It just enables bad security practice rather than actually making things better. The only ethical response is to pressure the institutions to get rid of security questions.


I am completely baffled in how you could say or think that falsely answering security questions is in any way "immoral" or "unethical". First, in most if not all cases, you have no choice but to answer them. So any thought to protest their insecurity by omitting them goes out the window. If you want to send emails or make complaints about their use, that's great. It's unlikely anything would change until the industry as a whole wakes up. But if you know enough to understand the risks, going along with the program with honest answers is just, no offense, foolish. You are not legally, morally, ethically or any other -ally required to answer them with accurate responses.
I think Epsilon Delta's point is that the reason for the security questions is that you don't need to write down the answers because you know them. Once you start making up your boyfriends' maiden names and your pets' favorite vacation spots, you need to capture them somewhere, be it a password vault or an Excel file or pen and paper.

The issues with Epsilon Delta's logic are that since security questions have first been conceived (1) attack vectors have expanded significantly and (2) new technologies such as password managers have appeared. Social media and search engines make truthful answers even more perilous. Even if I don't post in Facebook the model of my first roller-blades, my sibling may.

Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

TravelGeek
Posts: 2457
Joined: Sat Oct 25, 2014 3:23 pm

Re: Vanguard Yubikey-only option?

Post by TravelGeek » Sat Mar 11, 2017 6:34 pm

Epsilon Delta wrote:
The argument that people should answer security questions untruthfully is morally wrong. It just enables bad security practice rather than actually making things better. The only ethical response is to pressure the institutions to get rid of security questions.
Why don't you pressure institutions to get rid of security questions; I will in the meantime continue to be morally wrong by answering security questions with randomized strings to protect my accounts :beer

User avatar
Epsilon Delta
Posts: 7433
Joined: Thu Apr 28, 2011 7:00 pm

Re: Vanguard Yubikey-only option?

Post by Epsilon Delta » Sat Mar 11, 2017 8:10 pm

enki wrote: I am completely baffled in how you could say or think that falsely answering security questions is in any way "immoral" or "unethical". First, in most if not all cases, you have no choice but to answer them. So any thought to protest their insecurity by omitting them goes out the window. If you want to send emails or make complaints about their use, that's great. It's unlikely anything would change until the industry as a whole wakes up. But if you know enough to understand the risks, going along with the program with honest answers is just, no offense, foolish. You are not legally, morally, ethically or any other -ally required to answer them with accurate responses.
I did not say that answering the questions inacurately is unethical.* I meant advocating answering them incorrectly is unethical. At least for people who work for the institution. I've had IT, security people and customer service reps suggest it and that is totally unacceptable. If it's your system and you know it's broken, fix it, don't tell people how to work around it by ignoring your institutions explicit instructions. I've also seen representative at various regulatory agencies suggest it. This is also unacceptable unless they also make it clear they are trying to fix a broken practice.

* Although you will find security questions on forms covered by a blanket "I certify under penalty of perjury that all answers are correct." I've never seen "I certify that all answers, except the answers to security questions, are truthful."

There are also practical matters.
As Ladygeek says if you can remember your password you shouldn't need security questions and if you can remember random answers you shouldn't forget your password. And the threats haven't gotten worse. Security questions were born broken.

Also if you give random answers, at least njuvfi&raer-=a9ser type answers you can often bypass the security question over the phone. I've had the rep say "oh we seem to have nonsense, I'll clear that for you."

enki
Posts: 100
Joined: Sun Mar 29, 2015 8:51 am

Re: Vanguard Yubikey-only option?

Post by enki » Sat Mar 11, 2017 9:57 pm

Epsilon Delta wrote: I did not say that answering the questions inacurately is unethical.* I meant advocating answering them incorrectly is unethical. At least for people who work for the institution. I've had IT, security people and customer service reps suggest it and that is totally unacceptable. If it's your system and you know it's broken, fix it, don't tell people how to work around it by ignoring your institutions explicit instructions. I've also seen representative at various regulatory agencies suggest it. This is also unacceptable unless they also make it clear they are trying to fix a broken practice.

* Although you will find security questions on forms covered by a blanket "I certify under penalty of perjury that all answers are correct." I've never seen "I certify that all answers, except the answers to security questions, are truthful."

There are also practical matters.
As Ladygeek says if you can remember your password you shouldn't need security questions and if you can remember random answers you shouldn't forget your password. And the threats haven't gotten worse. Security questions were born broken.

Also if you give random answers, at least njuvfi&raer-=a9ser type answers you can often bypass the security question over the phone. I've had the rep say "oh we seem to have nonsense, I'll clear that for you."
That makes a bit more sense, but your earlier comment seemed to indicate you were implying that people using incorrect answers were somehow being immoral. However, while I understand (now) your point, I would still disagree. The people who you are referencing that were giving you sound advice in terms of security have no control over the Q/A aspect of logins. Sure, they could tell you to just answer honestly, which we all know creates a huge security risk, but instead they cautioned you to take proper steps to ensure that attackers couldn't guess your information. If anything, I would think that they would be out of compliance with their employers for advising such an approach, but I personally applaud them for their willingness to help people with accurate advice.

Regarding any penalty of perjury claims, I think that is a bit far fetched. First, in my experience most account questions are setup after any applications (which care about honesty) are submitted and approved. But even if it was done in conjunction, no one is going to sue you for perjury or fraud because you said your mother's maiden name was 'cowabunga17'.

While using random alphanumeric passwords with symbols, etc. is a no-brainer, I don't necessarily see the need for doing that with security questions. Sure, from a perfect security standpoint it is ideal, but not in practicality:
1) As you pointed out, you may need to verbally provide it on the phone during verification. This is not possible with a seemingly gibberish answer.
2) Unlike passwords, which should be encrypted with one-way hashes (and salted), this is not the case with most security questions. It can't be if they intend to ask you on the phone, since they need to be able to see the answer themselves. Granted this in and of itself is bad security, but its the common practice. In any case, while a brute force attack against the answers is likely impossible (automatic lockouts, etc.), which is the main justification for complex passwords in the first place, if the entire account database was compromised and stolen by attackers, odds are they could see readily the answers in plain text anyway. Which, again, makes Q/A even less secure since it invalidates any protections put in place on passwords in the first place. This further supports the need to have different answers at each site.

We're both in agreement that the Q/A secondary authentication scheme is fundamentally flawed on many levels. And it certainly needs to change. But in order for that to happen, a better and universally accepted alternative needs to come out. As I mentioned initially, there is going to be a compromise between security and convenience. Yubikey, alone, is a great option -- but its still not perfect, as someone could have lost/broken/misplaced their key or just not have it on them when they need to login. Can you imagine the number of support calls Vanguard would field per day if this was the only 2FA option and was required for all accounts? I'm sure this is why they incorporated the "good enough" security of SMS. Because again, lets face it, even with the risks of SMS, the odds of it being used to attack your account is nearly impossible. We're not talking about TV or the movies where some 12yo kid hacks into the NSA in under a minute -- compromising the SS7 backbone of carriers requires quite a bit of skill and effort and luck. While it would be trivial for nation states or highly sophisticated groups that have access, this isn't going to be a common occurrence. So while it is flawed, its probably the best option we have available to the general public who have no idea what a Yubikey is.

leftcoaster
Posts: 341
Joined: Mon Jul 23, 2007 4:04 pm

Re: Vanguard Yubikey-only option?

Post by leftcoaster » Sat Mar 11, 2017 10:51 pm

Choy wrote:You're exactly correct.

It also boggles my mind how some sites require you to have a complex password, but then encourage you to set "security questions" to reset said complex password. Why bother to crack a complex password when I can just look up your wife's maiden name and what street you grew up on?
So generate a complex password and use it in lieu of your wife's maiden name.

Choy
Posts: 361
Joined: Mon Sep 27, 2010 9:56 pm

Re: Vanguard Yubikey-only option?

Post by Choy » Sat Mar 11, 2017 11:39 pm

TravelGeek wrote:It boggles my mind how people answer those "security questions" truthfully. :shock: :D
leftcoaster wrote:So generate a complex password and use it in lieu of your wife's maiden name.
Sites are set up in such a way that they encourage people to answer truthfully without knowing the security issues they cause. Yes, it's simple to get around it if you know better, but most people don't know any better and sites should not encourage -- or even allow -- this poor security practice.

jalbert
Posts: 3919
Joined: Fri Apr 10, 2015 12:29 am

Re: Vanguard Yubikey-only option?

Post by jalbert » Sun Mar 12, 2017 12:19 am

Many financial service providers, including Vanguard get the security engineering of authentication wrong.

If you cannot disable SMS 2-factor codes, then adding a Yubikey actually reduces the authentication security, albeit very minimally. That's because it just adds another point of attack to what is already there if SMS is still enabled. This is a minimal detraction because the Yubikey, if configured correctly, is the most robust of the 3 factors, but it nonetheless is adding another point of attack without taking away any that were there.

The best you can do to reduce the risk of (in)security questions is to use strong passphrases for the answers, but they still can be a problem. The answers and the email address to which to send a password reset link are often stored as cleartext in a database, so someone with a privileged account might be able to save away the values, change them to what they want, do the password reset, then change the values back to original values.
Risk is not a guarantor of return.

wdr1
Posts: 49
Joined: Mon Jan 16, 2012 9:46 pm

Re: Vanguard Yubikey-only option?

Post by wdr1 » Sun Mar 12, 2017 12:26 am

Choy wrote:It also boggles my mind how some sites require you to have a complex password, but then encourage you to set "security questions" to reset said complex password. Why bother to crack a complex password when I can just look up your wife's maiden name and what street you grew up on?
FWIW, there's nothing requiring you to provide the actual real world answers to those questions.

For example, despite what's on file with some companies, my wife's maiden name was not "Orange Cleft Rhinoceros" nor did I grow up on "Purple Clown Luckdragon."

They do lead to some occasional interesting discussions when on the phone with customer service, but as you point out, providing information one can easily look up is ridiculous.

TravelGeek
Posts: 2457
Joined: Sat Oct 25, 2014 3:23 pm

Re: Vanguard Yubikey-only option?

Post by TravelGeek » Sun Mar 12, 2017 2:06 am

Epsilon Delta wrote: I did not say that answering the questions inacurately is unethical.* I meant advocating answering them incorrectly is unethical. At least for people who work for the institution.
I assumed your earlier post was in response to mine (where I said it boggles my mind that people answer the questions truthfully). I don't understand why my (implicit) suggestion to answer them incorrectly would be unethical.

I can't change the security systems of sites I don't own that use security questions. But I can help people improve their security somewhat by not answering questions truthfully when answers can often be determined or guessed fairly easily.

As for people who "work for the institution", I don't think I have seen that in this thread (or for that matter elsewhere).
As Ladygeek says if you can remember your password you shouldn't need security questions and if you can remember random answers you shouldn't forget your password.
Security questions aren't just used for forgotten passwords. It is fairly common (unfortunately) to use them as an additional security mechanism when logging in from a computer that hasn't been seen by the login server before (doesn't have cookie). Basically a wanna-be 2FA. See united.com's much maligned implementation. Or US Bank.

But yes, it is highly unlikely that I will forget my passwords, and if it did, I would forget my security answers as well. Because they are stored together in my password manager. But unfortunately sites often force me to set up security answers. So i don't really need those questions/answers, but to not weaken my security, I don't enter my actual first car model or mother's maiden name. I lie.

User avatar
blaugranamd
Posts: 558
Joined: Wed Apr 11, 2012 1:57 pm
Location: D-lux apt in the sky

Re: Vanguard Yubikey-only option?

Post by blaugranamd » Sun Mar 12, 2017 9:13 am

jalbert wrote:If you cannot disable SMS 2-factor codes, then adding a Yubikey actually reduces the authentication security, albeit very minimally. That's because it just adds another point of attack to what is already there if SMS is still enabled. This is a minimal detraction because the Yubikey, if configured correctly, is the most robust of the 3 factors, but it nonetheless is adding another point of attack without taking away any that were there.
This is exactly the point I'm trying to get at. The debate of security questions is a good one and one I had not considered. Time to change my legit answers. I think the end result is that financial institutions need strong 2FA and account recovery SHOULD be arduous and painful: phone verification, something mailed to your home address and wet inked back etc. I think customization is the key: allow the customer to disable any or all factors they don't want to allow.
-- Don't mistake more funds for more diversity: Total Int'l + Total Market = 7k to 10k stocks -- | -- Market return does NOT = average nor 50th percentile, rather 80-90th percentile long term ---

User avatar
blaugranamd
Posts: 558
Joined: Wed Apr 11, 2012 1:57 pm
Location: D-lux apt in the sky

Re: Vanguard Yubikey-only option?

Post by blaugranamd » Sun Mar 12, 2017 10:22 am

Thanks for yet another great Boglehead bit of wisdom. All my financial websites now have "fun" security question answers. Now to hope I never have to call in and give any of them. :shock:
-- Don't mistake more funds for more diversity: Total Int'l + Total Market = 7k to 10k stocks -- | -- Market return does NOT = average nor 50th percentile, rather 80-90th percentile long term ---

Grasshopper
Posts: 925
Joined: Sat Oct 09, 2010 3:52 pm

Re: Vanguard Yubikey-only option?

Post by Grasshopper » Sun Mar 12, 2017 6:41 pm

I seem to be missing something, I have SMS 2 factor on my Vanguard accounts. I also use a U3F key on my account except for the time I registered my key I have never received a SMS just insert the key touch it and I am on. I also use the same key for Google which I hope secures my acct and gmail. y thought was no one can log on without the key.

Choy
Posts: 361
Joined: Mon Sep 27, 2010 9:56 pm

Re: Vanguard Yubikey-only option?

Post by Choy » Sun Mar 12, 2017 6:46 pm

Grasshopper wrote:I seem to be missing something, I have SMS 2 factor on my Vanguard accounts. I also use a U3F key on my account except for the time I registered my key I have never received a SMS just insert the key touch it and I am on. I also use the same key for Google which I hope secures my acct and gmail. y thought was no one can log on without the key.
You don't use them at the same time. What you're missing is that SMS authentication is still enabled after enabling Yubikey. Imagine you have a door with a lock that you can open either by 1) using a simple key or 2) biometric retina scan. The security benefit of a biometric retina scan is pointless when you can open the lock with a normal key.

Grasshopper
Posts: 925
Joined: Sat Oct 09, 2010 3:52 pm

Re: Vanguard Yubikey-only option?

Post by Grasshopper » Sun Mar 12, 2017 6:55 pm

Choy wrote:
Grasshopper wrote:I seem to be missing something, I have SMS 2 factor on my Vanguard accounts. I also use a U3F key on my account except for the time I registered my key I have never received a SMS just insert the key touch it and I am on. I also use the same key for Google which I hope secures my acct and gmail. y thought was no one can log on without the key.
You don't use them at the same time. What you're missing is that SMS authentication is still enabled after enabling Yubikey. Imagine you have a door with a lock that you can open either by 1) using a simple key or 2) biometric retina scan. The security benefit of a biometric retina scan is pointless when you can open the lock with a normal key.
Got ya, I use Google voice for my contact, no cell service where I live. Now I see the point that everyone is making. How much risk do you think I am taking with the system I use.

enki
Posts: 100
Joined: Sun Mar 29, 2015 8:51 am

Re: Vanguard Yubikey-only option?

Post by enki » Mon Mar 13, 2017 6:47 am

Choy wrote:
Grasshopper wrote:I seem to be missing something, I have SMS 2 factor on my Vanguard accounts. I also use a U3F key on my account except for the time I registered my key I have never received a SMS just insert the key touch it and I am on. I also use the same key for Google which I hope secures my acct and gmail. y thought was no one can log on without the key.
You don't use them at the same time. What you're missing is that SMS authentication is still enabled after enabling Yubikey. Imagine you have a door with a lock that you can open either by 1) using a simple key or 2) biometric retina scan. The security benefit of a biometric retina scan is pointless when you can open the lock with a normal key.
Actually, a better analogy would be you can open the door with either:
1) A simple key.
2) A simple key in conjunction with either a finger print reader or a retina scanner.

Regardless of your feeling on the security of a finger print (which is exponentially easier to defeat then intercepting SMS messages), its still the more secure option compared to #1 and would defeat all but the most sophisticated burglers even though it does inherently defeat the added benefit of the retinal scanner.

FlyingMoose
Posts: 392
Joined: Wed Mar 04, 2009 10:48 pm

Re: Vanguard Yubikey-only option?

Post by FlyingMoose » Mon Mar 13, 2017 7:15 am

SMS messages aren't usually compromised by hacking into the phone network, but by someone socially engineering your carrier to steal your phone number.

Choy
Posts: 361
Joined: Mon Sep 27, 2010 9:56 pm

Re: Vanguard Yubikey-only option?

Post by Choy » Mon Mar 13, 2017 8:48 am

Grasshopper wrote:Got ya, I use Google voice for my contact, no cell service where I live. Now I see the point that everyone is making. How much risk do you think I am taking with the system I use.
You're at no more or less additional risk than if you had no Yubikey. At the end of the day, some 2FA is better than no 2FA.

User avatar
BolderBoy
Posts: 4174
Joined: Wed Apr 07, 2010 12:16 pm
Location: Colorado

Re: Vanguard Yubikey-only option?

Post by BolderBoy » Mon Mar 13, 2017 9:03 am

enki wrote:I certainly can't think of any situation where an account is locked down for a "couple weeks".
Used to be with VG if you wanted to change your username, the online access to the account was locked for about 2 weeks. Not sure about current requirements.
"Never underestimate one's capacity to overestimate one's abilities" - The Dunning-Kruger Effect

enki
Posts: 100
Joined: Sun Mar 29, 2015 8:51 am

Re: Vanguard Yubikey-only option?

Post by enki » Mon Mar 13, 2017 3:42 pm

BolderBoy wrote:
enki wrote:I certainly can't think of any situation where an account is locked down for a "couple weeks".
Used to be with VG if you wanted to change your username, the online access to the account was locked for about 2 weeks. Not sure about current requirements.
That seems weird. But that sounds more like a back end system issue than a security precaution (i.e. they have to make manual changes for the new username to start working).

arlo
Posts: 1
Joined: Sat Mar 18, 2017 1:13 pm

Re: Vanguard Yubikey-only option?

Post by arlo » Mon May 01, 2017 8:52 am

Sorry about awakening a slightly old thread, but I wanted to add some thoughts to this issue.

First of all, it seems to me that the primary security is that the only ways to take funds out of a Vanguard account involve either a bank transfer that takes a week or so to set up or a mailing address change. It should not be possible to reset the password and immediately transfer everything to Nigeria. Thus, normal vigilance, checking the account and reading notifications should catch most attacks. If I'm wrong here, please correct me.

The purpose of two-factor security is not to provide total security, but to significantly raise the bar on protection. If the username/password gets compromised in bulk then those with minimal security are at far greater risk. Phishing attacks are essentially negated. And a variety of scenarios such as a lost computer are protected against. The price is having to enter an SMS delivered code to access the account, and fetch another if inactive for a brief period. The Yubikey makes this a lot easier, and you have a choice of leaving it in a secure machine, or taking it with you when appropriate.

The big concern of this thread is that SMS is required as a prerequisite to the Yubikey, to make recovery easier if the key is lost. However, this is not really true. There is also an option for a voice message that can be sent to land lines. Thus, the "recovery" can be limited to a home phone, which can not be easily stolen. Or, you could use any trusted land line, such as a lawyer's office. Also, you can use a Google Voice line that can be directed to either a SMS or a voice line, and changed as needed.

On the issue of security questions, I was amused by the concept of "morally wrong" answers to question, but I agree that bogus answers are not a good solution if it means writing down the answers to remember them. The proper solution is for the companies to allow both a user defined question and response, which can be thought of as a private "hint" to a password. This would allow near total security without "morally wrong" answers.

There is some concern that any security is only as good as the weakest link, and various other forced metaphors. So I'll add another: there of several meanings of "Waterproof." If a milk carton has a tiny leak, it still makes a big mess in the refrigerator. If a basement has a small leak you just mop it up and move on. Security is a matter of blocking as many types of threats as is feasible, and containing what remains.

MarkBarb
Posts: 187
Joined: Mon Aug 03, 2009 11:59 am

Re: Vanguard Yubikey-only option?

Post by MarkBarb » Sun Jan 14, 2018 11:29 am

Is it possible to set up a bogus cell phone number? Or do they confirm it before making it official? In other words, could I set up my SMS and Yubikey and then change my SMS to 800-555-1212?

User avatar
LadyGeek
Site Admin
Posts: 49182
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

Re: Vanguard Yubikey-only option?

Post by LadyGeek » Sun Jan 14, 2018 11:41 am

This thread is now in the Personal Consumer Issues forum (website security).
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.

User avatar
StevieG72
Posts: 849
Joined: Wed Feb 05, 2014 9:00 pm

Re: Vanguard Yubikey-only option?

Post by StevieG72 » Sun Jan 14, 2018 11:08 pm

I was dissapointed with the lack of Yubikey only option as well.

Since it really offers no additional security, I passed on the option.

I do like the setting to allow log in from recognized devices only.
Fools think their own way is right, but the wise listen to others.

Finridge
Posts: 505
Joined: Mon May 16, 2011 7:27 pm

Re: Vanguard Yubikey-only option?

Post by Finridge » Mon Jan 15, 2018 3:41 am

blaugranamd wrote:
Fri Mar 10, 2017 8:40 pm
Hey all,

Recently got turned on to two-factor authentication and have converted all my finance accounts over to it. Vanguard offers the Yubikey option, which is different than the Symantec VIP software key some of my other accounts use. Seems like a great option, so I got a Yubikey in today set it up and sure enough works great. However, I have read a number of security threads talking about how hardware/software key is more secure than SMS codes. I cannot find a way on VGs website to force only security key option and the security code (SMS) option seems like it must stay active if you have a security key. While it's not a huge issue, isn't the least secure option to login the only one that matters? IE: if all you have to do to circumvent the security key is click the "send security code" option then all the Yubikey really does is allow me to avoid getting SMS messages and not really improve security.

Thoughts or am I missing something obvious in the settings? :confused
You are exactly right. This is very disappointing to hear. I was planning on getting a Yubikey, but there is not point if Vanguard insists on leaving the SMS barndoor open, regardless of whether I use Yubikey or not.

Also, they still do not support authenticator applications like Google Authenticator or Authy.

I have been getting the sense that they are not taking cybersecurity as seriously as some of the other firms. These kinds of issues seem to by systemic. If there are weaknesses that we know about, there are probably additional weaknesses that do not know know about. This is the main reason why I have opened an alternative account at Fidelity.

In my opinion, we all need to be vocal in complaining to Vanguard about this. If this is an important issue to you (as it is for me), please remember this the next time you speak to Vanguard representative, or the next time Vanguard asks you to fill complete a customer satisfaction survey.

lazydavid
Posts: 1887
Joined: Wed Apr 06, 2016 1:37 pm

Re: Vanguard Yubikey-only option?

Post by lazydavid » Mon Jan 15, 2018 5:50 am

MarkBarb wrote:
Sun Jan 14, 2018 11:29 am
Is it possible to set up a bogus cell phone number? Or do they confirm it before making it official? In other words, could I set up my SMS and Yubikey and then change my SMS to 800-555-1212?
If they use a shortcode, rules set by the MMA (Mobile Marketing Association, not UFC :)) require that the number be confirmed before it is stored for use. This means either receiving an affirmative response via SMS (replying "Yes", for example), or by ingesting a unique value that was sent to the number ("We just sent you a OTP, please enter it here"). So there should be no way to put in an invalid number.

User avatar
blaugranamd
Posts: 558
Joined: Wed Apr 11, 2012 1:57 pm
Location: D-lux apt in the sky

Re: Vanguard Yubikey-only option?

Post by blaugranamd » Mon Jan 15, 2018 9:49 am

I should add that using the Yubikey option prevented my bank's aggregation website from pulling financial data, had to disable it so now I just manually enter the SMS whenever I want to update it. My Yubikey is now collecting dust... :(
-- Don't mistake more funds for more diversity: Total Int'l + Total Market = 7k to 10k stocks -- | -- Market return does NOT = average nor 50th percentile, rather 80-90th percentile long term ---

Silence Dogood
Posts: 721
Joined: Tue Feb 01, 2011 9:22 pm

Re: Vanguard Yubikey-only option?

Post by Silence Dogood » Mon Jan 15, 2018 10:09 am

FlyingMoose wrote:
Mon Mar 13, 2017 7:15 am
SMS messages aren't usually compromised by hacking into the phone network, but by someone socially engineering your carrier to steal your phone number.
On that note, my cell phone provider requires a PIN (chosen by the customer) to port the phone number to a different phone. This (realistically) all but eliminates the ability to steal your phone number via social engineering.

I would think that most cell phone providers would offer this basic security feature by now.

lazydavid
Posts: 1887
Joined: Wed Apr 06, 2016 1:37 pm

Re: Vanguard Yubikey-only option?

Post by lazydavid » Mon Jan 15, 2018 11:23 am

Silence Dogood wrote:
Mon Jan 15, 2018 10:09 am
On that note, my cell phone provider requires a PIN (chosen by the customer) to port the phone number to a different phone. This (realistically) all but eliminates the ability to steal your phone number via social engineering.

I would think that most cell phone providers would offer this basic security feature by now.
"I don't remember my PIN, can you help me reset it?"

scoroi
Posts: 4
Joined: Tue Jun 13, 2017 9:18 am

Re: Vanguard Yubikey-only option?

Post by scoroi » Sun Nov 04, 2018 11:52 am

I made a tradition to ask Vanguard every time when are we going to have an option to be either U2F only or at least be able to register some OTP. NIST has marked SMS/VOIP/carriers as bad practices and are not recommending it anymore: https://pages.nist.gov/800-63-3/sp800-63b.html

Freefun
Posts: 387
Joined: Sun Jan 14, 2018 3:55 pm

Re: Vanguard Yubikey-only option?

Post by Freefun » Sun Nov 04, 2018 1:29 pm

I’m a bit lost on the comments suggesting security questions are weak. You can use a password generator for the answers and the result should be something no one can possibly guess.
Remember when you wanted what you currently have?

ivk5
Posts: 479
Joined: Thu Sep 22, 2016 9:05 am

Re: Vanguard Yubikey-only option?

Post by ivk5 » Sun Nov 04, 2018 2:12 pm

scoroi wrote:
Sun Nov 04, 2018 11:52 am
I made a tradition to ask Vanguard every time when are we going to have an option to be either U2F only or at least be able to register some OTP. NIST has marked SMS/VOIP/carriers as bad practices and are not recommending it anymore: https://pages.nist.gov/800-63-3/sp800-63b.html
Thread was last active almost a year ago...

User avatar
LadyGeek
Site Admin
Posts: 49182
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

Re: Vanguard Yubikey-only option?

Post by LadyGeek » Sun Nov 04, 2018 5:50 pm

Let's continue the discussion in the current thread: Vanguard - You'll need to sign up for security codes soon

scoroi has also posted in that thread (Page 4).

(Thread locked to redirect the discussion.)
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.

Locked