Yubikey only at Vanguard now possible.

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
rkhusky
Posts: 12806
Joined: Thu Aug 18, 2011 8:09 pm

Re: Yubikey only at Vanguard now possible.

Post by rkhusky »

How easy is it to fake a Yubikey? How easy is it to fake a computer identity? Without access to the hardware.
criticalmass
Posts: 2564
Joined: Wed Feb 12, 2014 10:58 pm

Re: Yubikey only at Vanguard now possible.

Post by criticalmass »

cowdogman wrote: Sat Mar 12, 2022 11:28 am
HawkeyePierce wrote: Tue Mar 08, 2022 1:24 pm
cowdogman wrote: Tue Mar 08, 2022 11:44 am
Northern Flicker wrote: Sat Mar 05, 2022 2:31 am
cowdogman wrote: If you use Yubikey (which is in its way the same as computer restriction--Yubikey restriction)
Having a service remember your computer is not the equivalent of using a Yubikey in the level of security enhancement achieved.
Yes, I agree, but they are getting at the same thing--restricting access to a specific computer--the one Vanguard remembers or the one that has the Yubikey inserted.
They are not even remotely equivalent.
Please explain. I agreed above that they are not equivalent but are getting at the same thing. Specifically, would use both (1) computer restriction and (2) Yubikey? If so (or not), why?
For starters, “remembering” the saved browser is done by a browser cookie which is trivial to copy for reuse anywhere, if not able to just produce one arbitrarily.
The Yubikey uses hardware based strong cryptography and the key it generates may not be copied for reuse, or generated without the smartcard hardware built in to that specific Yubikey.
User avatar
cowdogman
Posts: 1493
Joined: Sat Dec 16, 2017 7:44 pm
Location: Washington State

Re: Yubikey only at Vanguard now possible.

Post by cowdogman »

criticalmass wrote: Sat Mar 12, 2022 11:40 am
cowdogman wrote: Sat Mar 12, 2022 11:28 am
HawkeyePierce wrote: Tue Mar 08, 2022 1:24 pm
cowdogman wrote: Tue Mar 08, 2022 11:44 am
Northern Flicker wrote: Sat Mar 05, 2022 2:31 am
Having a service remember your computer is not the equivalent of using a Yubikey in the level of security enhancement achieved.
Yes, I agree, but they are getting at the same thing--restricting access to a specific computer--the one Vanguard remembers or the one that has the Yubikey inserted.
They are not even remotely equivalent.
Please explain. I agreed above that they are not equivalent but are getting at the same thing. Specifically, would use both (1) computer restriction and (2) Yubikey? If so (or not), why?
For starters, “remembering” the saved browser is done by a browser cookie which is trivial to copy for reuse anywhere, if not able to just produce one arbitrarily.
The Yubikey uses hardware based strong cryptography and the key it generates may not be copied for reuse, or generated without the smartcard hardware built in to that specific Yubikey.
OK, but the question I was answering above was whether it was necessary to keep computer restriction on when using a Yubikey. I said no because they are essentially trying to do the same thing--limit access to a single computer--the one with the restriction cookie or the one with the Yubikey.

So I will ask again: would you use both (1) computer restriction and (2) Yubikey? If so (or not), why? If your answer is no, then we are in agreement.
criticalmass
Posts: 2564
Joined: Wed Feb 12, 2014 10:58 pm

Re: Yubikey only at Vanguard now possible.

Post by criticalmass »

Vanguard seems to ignore the remember this computer selection when using Yubikey to login.
User avatar
kevinf
Posts: 609
Joined: Mon Aug 05, 2019 11:35 pm

Re: Yubikey only at Vanguard now possible.

Post by kevinf »

cowdogman wrote: Sat Mar 12, 2022 1:09 pm
criticalmass wrote: Sat Mar 12, 2022 11:40 am
cowdogman wrote: Sat Mar 12, 2022 11:28 am
HawkeyePierce wrote: Tue Mar 08, 2022 1:24 pm
cowdogman wrote: Tue Mar 08, 2022 11:44 am

Yes, I agree, but they are getting at the same thing--restricting access to a specific computer--the one Vanguard remembers or the one that has the Yubikey inserted.
They are not even remotely equivalent.
Please explain. I agreed above that they are not equivalent but are getting at the same thing. Specifically, would use both (1) computer restriction and (2) Yubikey? If so (or not), why?
For starters, “remembering” the saved browser is done by a browser cookie which is trivial to copy for reuse anywhere, if not able to just produce one arbitrarily.
The Yubikey uses hardware based strong cryptography and the key it generates may not be copied for reuse, or generated without the smartcard hardware built in to that specific Yubikey.
OK, but the question I was answering above was whether it was necessary to keep computer restriction on when using a Yubikey. I said no because they are essentially trying to do the same thing--limit access to a single computer--the one with the restriction cookie or the one with the Yubikey.

So I will ask again: would you use both (1) computer restriction and (2) Yubikey? If so (or not), why? If your answer is no, then we are in agreement.
In this scenario I believe computer restriction could help prevent unauthorized access in the event of a stolen yubikey+credentials if the attacker didn't have access to the restricted PC.
HawkeyePierce
Posts: 1996
Joined: Tue Mar 05, 2019 10:29 pm
Location: Colorado

Re: Yubikey only at Vanguard now possible.

Post by HawkeyePierce »

rkhusky wrote: Sat Mar 12, 2022 11:39 am How easy is it to fake a Yubikey? How easy is it to fake a computer identity? Without access to the hardware.
Faking a Yubikey is impossible. Copying a cookie out of a browser is trivial.
Silence Dogood
Posts: 1604
Joined: Tue Feb 01, 2011 9:22 pm

Re: Yubikey only at Vanguard now possible.

Post by Silence Dogood »

Silence Dogood wrote: Wed Jul 21, 2021 11:49 am Disappointingly, when I attempt to sign in [using the mobile app], it prompts me to re-enable security codes. There is a drop-down menu that shows my phone number and another option that actually allows me to enter a new phone number to send a security code to.
Silence Dogood wrote: Wed Dec 22, 2021 11:02 am At the very least, Vanguard can and should get rid of the ability to add any new phone number for sending security codes to when using the mobile app (i.e., only allow existing phone numbers on file). That should not take long to implement.
Vanguard should really fix this; I notified them of this security flaw back in July.
User avatar
pokebowl
Posts: 568
Joined: Sat Dec 17, 2016 7:22 pm
Location: Alaska

Re: Yubikey only at Vanguard now possible.

Post by pokebowl »

Out of curiosity, did Vanguard ever fix that mobile app vulnerability? Seeing 9 pages of discussion over Vanguard finally catching up with the times on cybersecurity, only to see then that Vanguard made all those changes null with their mobile app allowing anyone to redirect SMS on accounts as a feature. :mrgreen:
User avatar
southerndoc
Posts: 1218
Joined: Wed Apr 22, 2009 7:07 pm
Location: Atlanta

Re: Yubikey only at Vanguard now possible.

Post by southerndoc »

I still haven't been able to turn off text messaging and default to Yubikey only (despite having 3 keys registered).

Can someone walk me through the process?
User avatar
anon_investor
Posts: 11645
Joined: Mon Jun 03, 2019 1:43 pm

Re: Yubikey only at Vanguard now possible.

Post by anon_investor »

pokebowl wrote: Sun Apr 24, 2022 4:44 pm Out of curiosity, did Vanguard ever fix that mobile app vulnerability? Seeing 9 pages of discussion over Vanguard finally catching up with the times on cybersecurity, only to see then that Vanguard made all those changes null with their mobile app allowing anyone to redirect SMS on accounts as a feature. :mrgreen:
I don't think so. :oops:
Silence Dogood
Posts: 1604
Joined: Tue Feb 01, 2011 9:22 pm

Re: Yubikey only at Vanguard now possible.

Post by Silence Dogood »

Shame on Vanguard for not taking this seriously.
User avatar
southerndoc
Posts: 1218
Joined: Wed Apr 22, 2009 7:07 pm
Location: Atlanta

Re: Yubikey only at Vanguard now possible.

Post by southerndoc »

I tried again today to take off my mobile number. I unenrolled all my Yubikeys and got rid of the mobile phone for codes texted to me. I couldn't reenroll my Yubikeys without signing up for SMS text codes again.

Are you sure you can use Yubikeys only without SMS backup?
User avatar
bertilak
Posts: 9370
Joined: Tue Aug 02, 2011 5:23 pm
Location: East of the Pecos, West of the Mississippi

Re: Yubikey only at Vanguard now possible.

Post by bertilak »

ThereAreNoGurus wrote: Wed Jul 14, 2021 12:24 pm
Marmot wrote: Wed Jul 14, 2021 12:16 pm I was looking at the Yubico site, how do you figure which type of key? Basically we have a combination of devices, Iphones, Ipads, a Dell desktop and laptop? I took the quiz on the website but an still a bit confused. Thanks.
That quiz seemed fishy to me. No matter what my choices it almost always recommended two keys, one that was standard USB and one that was USB-C even though it appeared to me I did not need USB-C.
I think they will always recommend two keys, one for backup.

I got the "5 nano" and the "5C NFC"

I keep the nano inserted in my laptop so I only have to touch it when logging in to Vanguard. Removing and inserting is a bit fiddly so I just leave it inserted. I will put it in my pocket when traveling. The 5C NFC is my backup.

But, I am still trying to decide if there is really much extra security. Experimenting!
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet
User avatar
pokebowl
Posts: 568
Joined: Sat Dec 17, 2016 7:22 pm
Location: Alaska

Re: Yubikey only at Vanguard now possible.

Post by pokebowl »

bertilak wrote: Tue Apr 26, 2022 12:03 pm
But, I am still trying to decide if there is really much extra security. Experimenting!
Doesn't appear so at least right now. If I have your username password combo, I appear to be able to add my own phone number for SMS one time code on the mobile app if you no longer have it set up. I could in theory get around the yubikey requirement and access your account. Not sure if anyone has tested with a new number to see if Vanguard sends any notifications out on the changes and if access is still permitted.
MrJedi
Posts: 2170
Joined: Wed May 06, 2020 11:42 am

Re: Yubikey only at Vanguard now possible.

Post by MrJedi »

I just purchased two Yubikeys from their sale yesterday (54% off) and dipping my toes in with this type of authentication tech, but now reading through this thread is a bit disappointing. I assume no update to the app loophole?
User avatar
VictoriaF
Posts: 19873
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: Yubikey only at Vanguard now possible.

Post by VictoriaF »

MrJedi wrote: Thu May 05, 2022 12:17 pm I just purchased two Yubikeys from their sale yesterday (54% off) ...
MrJedi,

How did you learn about the 54% off sale? I just went to the Yubico site, and it does not have a sale.

Thank you,
Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)
increment
Posts: 988
Joined: Tue May 15, 2018 2:20 pm

Re: Yubikey only at Vanguard now possible.

Post by increment »

VictoriaF wrote: Sat May 07, 2022 9:05 am How did you learn about the 54% off sale? I just went to the Yubico site, and it does not have a sale.
The site said that it was a one day event for May the Fourth.
User avatar
VictoriaF
Posts: 19873
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: Yubikey only at Vanguard now possible.

Post by VictoriaF »

Does YubiKey 5 FIPS Series work at Vanguard? Yukico's quiz directs me to buy regular YubiKey 5 Series. But if I am willing to pay more, would I get greater security without losing compatibility with Vanguard and other services?

Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)
User avatar
kevinf
Posts: 609
Joined: Mon Aug 05, 2019 11:35 pm

Re: Yubikey only at Vanguard now possible.

Post by kevinf »

VictoriaF wrote: Sat May 07, 2022 9:27 am Does YubiKey 5 FIPS Series work at Vanguard? Yukico's quiz directs me to buy regular YubiKey 5 Series. But if I am willing to pay more, would I get greater security without losing compatibility with Vanguard and other services?

Victoria
Honestly, just get the cheaper security key (it's blue). They all offer the same effective level of protection, but the blue key just has fewer legacy standards included. The more expensive keys offer compliance with certain older standards and also a few features that consumer level users simply aren't going to use at home.
MrJedi
Posts: 2170
Joined: Wed May 06, 2020 11:42 am

Re: Yubikey only at Vanguard now possible.

Post by MrJedi »

VictoriaF wrote: Sat May 07, 2022 9:05 am
MrJedi wrote: Thu May 05, 2022 12:17 pm I just purchased two Yubikeys from their sale yesterday (54% off) ...
MrJedi,

How did you learn about the 54% off sale? I just went to the Yubico site, and it does not have a sale.

Thank you,
Victoria
I follow some deal sites and it turned up. Slick Deals. This used to be a really great site with user submitted deal findings, but has slowly turned more and more commercialized over the years with paid sponsors, shills, etc. I still frequent it though. Some gems still show up from time to time like this. I got two Yubikey 5 NFC keys for $41.

I was always a little curious about these devices but they were a little pricey for me at full price, but with the sale I decided it was enough for me to try it out and play with. And if nothing else, I've learned a little more about the tech.

As mentioned above it was a one dale sale for May the 4th (somebody is clearly a Star Wars fan at Yubico).
User avatar
K72
Posts: 236
Joined: Wed Dec 05, 2018 8:04 pm

Re: Yubikey only at Vanguard now possible.

Post by K72 »

Nicolas wrote: Sat Oct 09, 2021 4:32 pm
squirm wrote: Sat Oct 09, 2021 3:34 pm Why put the code in a safe? Nobody knows what it's for. I have mine taped behind as cabinet door with a bunch of tuna recipes mixed in, it looks like the printer printed junk in the middle of a tuna salad. Nobody has a clue.
This reminds me of what my coworker told me in 1980 during the silver boom. He said he was going to buy a big brick of silver as an investment and then paint it some other color and use it as a doorstop. The ultimate security, hiding in plain sight. I don’t know if he ever followed through (and he’s dead now). It would’ve been a poor investment anyway, silver hit a peak then of $50/ounce (in 1980 dollars) and of course paid no dividends.
Wow does this bring back a memory. When I was a young teenager I stashed what I thought were valuable bills (red seal $5 bills, silver certificate $1 bills) inside of paper back books I'd read. I soon forgot about them and I can only guess that my mom threw out the books after I finished college and moved far away.
All we want are the facts...
User avatar
anon_investor
Posts: 11645
Joined: Mon Jun 03, 2019 1:43 pm

Re: Yubikey only at Vanguard now possible.

Post by anon_investor »

MrJedi wrote: Thu May 05, 2022 12:17 pm I just purchased two Yubikeys from their sale yesterday (54% off) and dipping my toes in with this type of authentication tech, but now reading through this thread is a bit disappointing. I assume no update to the app loophole?
But all is not lost. You can use a Google Voice number as the SMS 2FA, then lock down you Google account with a Yubikey. This is why I did, makes your Vanguard account much more secure.
User avatar
bertilak
Posts: 9370
Joined: Tue Aug 02, 2011 5:23 pm
Location: East of the Pecos, West of the Mississippi

Re: Yubikey only at Vanguard now possible.

Post by bertilak »

If I decide I am not going to use a Ubikey I bought is there anything I should do before passing it on to someone else?

Assume I have deleted it from the apps I was using it with. For example, I removed any reference to the key from Vanguard's "Security Keys" web page.

It seems there is no problem. YubiKey manager has a "reset" option and I wonder just what that does and if I should use it.
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet
Scorpion Stare
Posts: 49
Joined: Wed Dec 22, 2021 10:15 am

Re: Yubikey only at Vanguard now possible.

Post by Scorpion Stare »

bertilak wrote: Sat May 07, 2022 3:11 pm If I decide I am not going to use a Ubikey I bought is there anything I should do before passing it on to someone else? Assume I have deleted it from the apps I was using it with.
Probably you don't need to do anything else, but you can use the "reset" button in Yubikey Manager just to be sure.

The typical way of using Yubikeys (used by most sites like Vanguard, Google) doesn't store anything on the key aside from a cryptographic key, which is useless after you have unregistered the key from all your services.

There are some alternate uses that do store sensitive data on the key, for example if you use the Yubikey Authenticator app to store TOTP codes. If you did any of those things, resetting the key will erase them.
Last edited by Scorpion Stare on Sat May 07, 2022 11:57 pm, edited 1 time in total.
User avatar
bertilak
Posts: 9370
Joined: Tue Aug 02, 2011 5:23 pm
Location: East of the Pecos, West of the Mississippi

Re: Yubikey only at Vanguard now possible.

Post by bertilak »

Scorpion Stare wrote: Sat May 07, 2022 7:01 pm
bertilak wrote: Sat May 07, 2022 3:11 pm If I decide I am not going to use a Ubikey I bought is there anything I should do before passing it on to someone else? Assume I have deleted it from the apps I was using it with.
Probably you don't need to do anything else, but you can use the "reset" button in Yubikey Manager just to be sure.

The typical way of using Yubikeys (used by most sites like Vanguard, Google) doesn't store any data on the key. There are some alternate uses that do store data on the key, for example if you use the Yubikey Authenticator app to store TOTP codes on the key. If you did any of those things, resetting the key will erase them.
Thanks.
May neither drought nor rain nor blizzard disturb the joy juice in your gizzard. -- Squire Omar Barker (aka S.O.B.), the Cowboy Poet
MrJedi
Posts: 2170
Joined: Wed May 06, 2020 11:42 am

Re: Yubikey only at Vanguard now possible.

Post by MrJedi »

anon_investor wrote: Sat May 07, 2022 2:03 pm
MrJedi wrote: Thu May 05, 2022 12:17 pm I just purchased two Yubikeys from their sale yesterday (54% off) and dipping my toes in with this type of authentication tech, but now reading through this thread is a bit disappointing. I assume no update to the app loophole?
But all is not lost. You can use a Google Voice number as the SMS 2FA, then lock down you Google account with a Yubikey. This is why I did, makes your Vanguard account much more secure.
Thanks for the tip. I've taken the steps to lockdown a Google account away from SMS and signed up for a Google Voice number. I put it into Vanguard security code section and it works. I tested it by trying to login with a mobile browser. It says security key not supported and sent a text to my Google voice number which worked. Better than nothing but still seems like a lazy implementation on Vanguard's part to so easily bypass a hardware key.
User avatar
K72
Posts: 236
Joined: Wed Dec 05, 2018 8:04 pm

Re: Yubikey only at Vanguard now possible.

Post by K72 »

anon_investor wrote: Tue Mar 08, 2022 1:38 pm Using a Google Voice number with a Google account secured by a Yubikey as the SMS 2FA for your Vanguard account and Yubikey as the other 2FA option for your Vanguard account is the only way to really secure your Vanguard account at this time.
Is your GV SMS forwarded to your actual cell #? I recall reading that it isn't a good idea to have GV SMS forwarded but I don't remember the reason. Does it matter from a security standpoint?
All we want are the facts...
User avatar
anon_investor
Posts: 11645
Joined: Mon Jun 03, 2019 1:43 pm

Re: Yubikey only at Vanguard now possible.

Post by anon_investor »

K72 wrote: Wed May 11, 2022 10:37 am
anon_investor wrote: Tue Mar 08, 2022 1:38 pm Using a Google Voice number with a Google account secured by a Yubikey as the SMS 2FA for your Vanguard account and Yubikey as the other 2FA option for your Vanguard account is the only way to really secure your Vanguard account at this time.
Is your GV SMS forwarded to your actual cell #? I recall reading that it isn't a good idea to have GV SMS forwarded but I don't remember the reason. Does it matter from a security standpoint?
I do not have it forwarded to my actually cell #. To access it on my phone I can check the Google Voice app or my email. So if my cell phone number is hijacked via a sim swap, the bad guys won't have access.
MrJedi
Posts: 2170
Joined: Wed May 06, 2020 11:42 am

Re: Yubikey only at Vanguard now possible.

Post by MrJedi »

Yeah if you setup forwarding then you are just re exposing yourself to the same vulnerability as before. Thief can steal your real phone number, request a Vanguard code which goes to Google voice number but then forwarded to the stolen number for the thief to access.

The Google Voice by itself is more secure because there is an option to lock the phone number within your Google account so that a carrier isn't allowed to port the number until it's unlocked. So thief cannot steal the number without access to your Google account to unlock the number.
Northern Flicker
Posts: 10759
Joined: Fri Apr 10, 2015 12:29 am

Re: Yubikey only at Vanguard now possible.

Post by Northern Flicker »

kevinf wrote: Sat Mar 12, 2022 2:01 pm
cowdogman wrote: Sat Mar 12, 2022 1:09 pm
OK, but the question I was answering above was whether it was necessary to keep computer restriction on when using a Yubikey. I said no because they are essentially trying to do the same thing--limit access to a single computer--the one with the restriction cookie or the one with the Yubikey.

So I will ask again: would you use both (1) computer restriction and (2) Yubikey? If so (or not), why? If your answer is no, then we are in agreement.
In this scenario I believe computer restriction could help prevent unauthorized access in the event of a stolen yubikey+credentials if the attacker didn't have access to the restricted PC.
No, remembering the computer means it is an authentication option, not a requirement. You can remember the computer and still login with 2FA on a different machine. But if you have a vulnerability in which both your yubikey and password are stolen, you probably are doing something wrong like storing your passwords in cleartext on a thumbdrive on the same keychain as your yubikey etc.

Properly configured, yubikeys and passwords have mostly independent attack surfaces. There may be some correlated vulnerabilities with respect to your browser being compromised, but it is very difficult to impossible to login in a secure manner by any method with a compromised browser.

If you checked remember your computer in the past, it reduces the security of your connection for every session where the yubikey is not used. A yubikey plus browser employs a protocol (challenge-response authentication) that defeats man-in-the-middle attacks and other types of Trojan horse attacks as long as you have a clean connection to a service when you initialize the yubikey.

The initialization involves the yubikey and service exchanging public-private key pairs so that encryption and authentication is end-to-end and both you and the service are assured that you are actually talking to each other. You are not just authenticating to Vanguard. Vanguard also essentially is authenticating to you. This eliminates risks associated with breached or rogue DNS servers and/or breached or rogue certificate authorities out on the internet. Remembering your computer defeats this any time it sidesteps the yubikey protocol being employed. There is also the risk that an attacker successfully spoofs your computer by obtaining a cookie and/or forging the IP address in packet headers etc. These tricks involve possession of data (cookie, IP address, browser (not human) fingerprints, etc.) not possession of hardware (yubikey). Even human fingerprints are data once digitized.

For Vanguard, you want to configure Google Voice for 2FA to protect against attacks using the Vanguard smartphone/tablet app, which does not support yubikeys. You still should use the yubikey for 2FA when using a browser to connect, which is preferred. Avoid using the app whenever practical. The GV 2FA option is still useful as a fallback to prevent lockout from your account if your yubikey fails or is lost— you can login with GV and disable the use of the lost yubikey. Be sure to secure your google voice account with 2 yubikeys and I prefer not to have any 1-time google passcodes implemented. They expand the attack surface, and are unnecessary if you have 2 yubikeys.
My postings are my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
User avatar
kevinf
Posts: 609
Joined: Mon Aug 05, 2019 11:35 pm

Re: Yubikey only at Vanguard now possible.

Post by kevinf »

Northern Flicker wrote: Thu May 12, 2022 3:26 am
kevinf wrote: Sat Mar 12, 2022 2:01 pm
cowdogman wrote: Sat Mar 12, 2022 1:09 pm
OK, but the question I was answering above was whether it was necessary to keep computer restriction on when using a Yubikey. I said no because they are essentially trying to do the same thing--limit access to a single computer--the one with the restriction cookie or the one with the Yubikey.

So I will ask again: would you use both (1) computer restriction and (2) Yubikey? If so (or not), why? If your answer is no, then we are in agreement.
In this scenario I believe computer restriction could help prevent unauthorized access in the event of a stolen yubikey+credentials if the attacker didn't have access to the restricted PC.
No, remembering the computer means it is an authentication option, not a requirement.
Hmmm, I'm under the impression that computer restriction means either a hardware fingerprint of a specific computer is generated or a specific cookies is used. The first would require spoofing the hardware if access to the actual computer is not available, and the second would require spoofing or stealing the cookie. If the computer attempting to login doesn't match the fingerprint/cookie then a login is simply not allowed which restricts your logins to specific devices.
Northern Flicker
Posts: 10759
Joined: Fri Apr 10, 2015 12:29 am

Re: Yubikey only at Vanguard now possible.

Post by Northern Flicker »

kevinf wrote: If the computer attempting to login doesn't match the fingerprint/cookie then a login is simply not allowed which restricts your logins to specific devices.
I don’t think the remember this computer option at Vanguard restricts the devices from which you can login. I think it eliminates the 2FA stage of the authentication protocol when 2FA is in play. If you click remember this computer you are not locked out if your cookie cache is flushed, or you purchase a new machine.

Whatever is used as a system fingerprint, it still is a piece of data that is transmitted to a service and that can be copied and communicated to an authentication session from somewhere else.

More precisely, the remember your computer feature leaves the user exposed to replay attacks where the same authentication session is replayed again later. If you get hit with a man-in-the-middle attack, attempts to inflict damage on your account while you are logged in often would be visible to you, and you could take defensive action. A more difficult situation is that the Trojan horse in the middle captures the session but does nothing else for the time being. You complete your transactions or whatever normally and would not know that the data going back and forth was being filtered.

The attacker then replays the authentication session later from a different machine.

2FA by text code defeats replay attacks because unique codes are generated for each session (modulo collisions due to being limited to 6 digits). Yubikey authentication additionally defeats Trojan horses and MITM attacks from the outset, which is more upstream protection.
My postings are my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
Northern Flicker
Posts: 10759
Joined: Fri Apr 10, 2015 12:29 am

Re: Yubikey only at Vanguard now possible.

Post by Northern Flicker »

I would add that a correct implementation of challenge-response authentication requires that challenges are never repeated. This is required for challenge-response authentication to defeat replay attacks. It normally is implemented by including a monotonically increasing sequence number or time of day in seconds since 1900 concatenated to the challenges used for a particular user, with enough bits in the encoding of the sequences not to re-use sequence numbers in the user’s lifetime.

Challenge-response authentication is robust by itself without a need for 2FA, and has been known since the late 1970’s (demonstrating that network authentication in practice today is still in the Bronze Age):

https://www.cs.swarthmore.edu/~newhall/ ... /popek.pdf

(To avoid confusion from the previous sentence, it is worth emphasizing that with a yubikey the challenge-response authentication is incorporated in the role of a second factor authentication with respect to the password).

I have not investigated whether protocols involving yubikeys implement challenge-response properly with no practical repeat of challenges, but I assume they do.
My postings are my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
User avatar
K72
Posts: 236
Joined: Wed Dec 05, 2018 8:04 pm

Re: Yubikey only at Vanguard now possible.

Post by K72 »

Northern Flicker wrote: Thu May 12, 2022 3:26 am For Vanguard, you want to configure Google Voice for 2FA to protect against attacks using the Vanguard smartphone/tablet app, which does not support yubikeys. You still should use the yubikey for 2FA when using a browser to connect, which is preferred. Avoid using the app whenever practical. The GV 2FA option is still useful as a fallback to prevent lockout from your account if your yubikey fails or is lost— you can login with GV and disable the use of the lost yubikey. Be sure to secure your google voice account with 2 yubikeys and I prefer not to have any 1-time google passcodes implemented. They expand the attack surface, and are unnecessary if you have 2 yubikeys.
Related but perhaps tangential question. If I implement 2FA for Vanguard using GV and 2 yubikeys as you've described, is there any issue with using the same GV number for junk transactions like a one time restaurant reservation, sport tickets, etc.?
All we want are the facts...
Northern Flicker
Posts: 10759
Joined: Fri Apr 10, 2015 12:29 am

Re: Yubikey only at Vanguard now possible.

Post by Northern Flicker »

I presently don’t see a security risk with that, but I’d likely not do it. I probably would set up a separate GV number for that.
My postings are my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
Northern Flicker
Posts: 10759
Joined: Fri Apr 10, 2015 12:29 am

Re: Yubikey only at Vanguard now possible.

Post by Northern Flicker »

Following up on clicking “remember this computer”…

If you set that up, you subsequently can go to Profile & Account Settings -> Computer Access Restrictions

And there is an option to select to restrict access to recognized computers, browsers, etc.

Vanguard recommends not using that setting on the page where it appears (by recommending the choice not to restrict). Presumably this is to avoid account lockout, say if that machine bites the dust. You would need to have 2 or 3 machines remembered before enabling to avoid lockout. This still does not prevent replay attacks.

It would provide an alternative to google voice 2FA to protect the mobile app, eg you could have multiple machines remembered to avoid lockout and have the mobile device be one of them.

Protecting a phone app with GV 2FA would be most secure if the GV or the app login were on a separate device so that you are not typing in a password on the same device where a 2FA text code is received (single point of compromise/breach).
My postings are my opinion, and never should be construed as a recommendation to buy, sell, or hold any particular investment.
Silence Dogood
Posts: 1604
Joined: Tue Feb 01, 2011 9:22 pm

Re: Are Vanguard’s IT Systems At The Breaking Point?

Post by Silence Dogood »

See: Yubikey only at Vanguard now possible.
Silence Dogood wrote: Wed Jul 21, 2021 11:49 am Disappointingly, when I attempt to sign in [using the mobile app], it prompts me to re-enable security codes. There is a drop-down menu that shows my phone number and another option that actually allows me to enter a new phone number to send a security code to.
Silence Dogood wrote: Wed Dec 22, 2021 11:02 am At the very least, Vanguard can and should get rid of the ability to add any new phone number for sending security codes to when using the mobile app (i.e., only allow existing phone numbers on file). That should not take long to implement.
I notified Vanguard about this security flaw back in July; they still haven't fixed it.
TropikThunder
Posts: 3625
Joined: Sun Apr 03, 2016 5:41 pm

Re: Are Vanguard’s IT Systems At The Breaking Point?

Post by TropikThunder »

Silence Dogood wrote: Wed May 18, 2022 5:12 pm See: Yubikey only at Vanguard now possible.
Silence Dogood wrote: Wed Jul 21, 2021 11:49 am Disappointingly, when I attempt to sign in [using the mobile app], it prompts me to re-enable security codes. There is a drop-down menu that shows my phone number and another option that actually allows me to enter a new phone number to send a security code to.
Silence Dogood wrote: Wed Dec 22, 2021 11:02 am At the very least, Vanguard can and should get rid of the ability to add any new phone number for sending security codes to when using the mobile app (i.e., only allow existing phone numbers on file). That should not take long to implement.
I notified Vanguard about this security flaw back in July; they still haven't fixed it.
Is this for the old app? I don’t see anywhere to make any sort of security changes on the app. The only profile setting I can make any changes to is “save username: yes or no”. I can’t change my phone number, address, email, bank account, etc.
Silence Dogood
Posts: 1604
Joined: Tue Feb 01, 2011 9:22 pm

Re: Are Vanguard’s IT Systems At The Breaking Point?

Post by Silence Dogood »

TropikThunder wrote: Thu May 19, 2022 12:54 am
Silence Dogood wrote: Wed May 18, 2022 5:12 pm See: Yubikey only at Vanguard now possible.
Silence Dogood wrote: Wed Jul 21, 2021 11:49 am Disappointingly, when I attempt to sign in [using the mobile app], it prompts me to re-enable security codes. There is a drop-down menu that shows my phone number and another option that actually allows me to enter a new phone number to send a security code to.
Silence Dogood wrote: Wed Dec 22, 2021 11:02 am At the very least, Vanguard can and should get rid of the ability to add any new phone number for sending security codes to when using the mobile app (i.e., only allow existing phone numbers on file). That should not take long to implement.
I notified Vanguard about this security flaw back in July; they still haven't fixed it.
Is this for the old app? I don’t see anywhere to make any sort of security changes on the app. The only profile setting I can make any changes to is “save username: yes or no”. I can’t change my phone number, address, email, bank account, etc.
Worse - this actually occurs before fully signing in, without any two-factor authentication required.
Silence Dogood wrote: Wed Jul 21, 2021 11:49 am
criticalmass wrote: Tue Jul 20, 2021 11:34 pm Sounds good. I can also disable security codes completely, but attempts to login again provide an option re-enable the SMS verification codes.
If you attempt to login with the Vanguard mobile app after disabling SMS verification codes, does it allow you re-enable SMS verification like it does for me?
When I sign in using a web browser, I do not see any option to use a security code (SMS) as a backup (I looked carefully for it).

However, I just downloaded the mobile app to test this out...

Disappointingly, when I attempt to sign in, it prompts me to re-enable security codes. There is a drop-down menu that shows my phone number and another option that actually allows me to enter a new phone number to send a security code to. I did not actually go ahead and test that out, but presumably an attacker could actually enter any phone number and use that to get in. :shock:
So Yubikeys don't work with the Vanguard mobile app - not ideal - but my point is that Vanguard should at least get rid of the ability to enter any new phone number. In other words, only allow the selection of a phone number already on file.
TropikThunder
Posts: 3625
Joined: Sun Apr 03, 2016 5:41 pm

Re: Are Vanguard’s IT Systems At The Breaking Point?

Post by TropikThunder »

Silence Dogood wrote: Fri May 20, 2022 10:45 am
TropikThunder wrote: Thu May 19, 2022 12:54 am
Silence Dogood wrote: Wed May 18, 2022 5:12 pm See: Yubikey only at Vanguard now possible.
Silence Dogood wrote: Wed Jul 21, 2021 11:49 am Disappointingly, when I attempt to sign in [using the mobile app], it prompts me to re-enable security codes. There is a drop-down menu that shows my phone number and another option that actually allows me to enter a new phone number to send a security code to.
I notified Vanguard about this security flaw back in July; they still haven't fixed it.
Is this for the old app? I don’t see anywhere to make any sort of security changes on the app. The only profile setting I can make any changes to is “save username: yes or no”. I can’t change my phone number, address, email, bank account, etc.
Worse - this actually occurs before fully signing in, without any two-factor authentication required.
You must have a different version of the app (I'm using 12.12.0.1), I literally cannot do anything before logging in. On the login page there is a link for "Security" but it's informational, and while there is a link to enroll in "security codes" (2FA), you absolutely cannot do anything without logging in - no drop down, etc. Even after I do log in, there still is no way to make any changes like this, you have to go to the web version. I honestly have no idea what you are seeing.
conundrum
Posts: 857
Joined: Sat May 09, 2009 7:00 pm

Update on Vanguard mobile app security

Post by conundrum »

In regards to Vanguard's Mobile app security I spoke with one of their IT team yesterday and he stated that at this time you could not change your 2 FA info on the app but had to use the website. This sounds consistent with what poster TropikThunder stated on the Vanguard IT post but I know that others, specifically poster Silence Dogood have noted the ability to change the 2 FA number on the app. I currently am using a Yubikey for access to my account but have also been using the computer restriction to block the use of the mobile app. The IT representative recommended not using the computer restriction option and stated that due to Vanguard’s security changes in most situations it just locks you out of your account and it is necessary to call to regain access. That has also been my experience and 90+% of the time I have to call to get access. I don’t really want to use the computer restriction but was concerned regarding the app security. Any updates on the mobile app?
Thanks.
Drum
User avatar
LadyGeek
Site Admin
Posts: 83315
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

Re: Yubikey only at Vanguard now possible.

Post by LadyGeek »

I merged conundrum's post into the ongoing discussion.

(Thanks to the member who reported the post and provided a link to this thread.)
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
Silence Dogood
Posts: 1604
Joined: Tue Feb 01, 2011 9:22 pm

Re: Update on Vanguard mobile app security

Post by Silence Dogood »

conundrum wrote: Sat May 21, 2022 2:18 pm In regards to Vanguard's Mobile app security I spoke with one of their IT team yesterday and he stated that at this time you could not change your 2 FA info on the app but had to use the website. This sounds consistent with what poster TropikThunder stated on the Vanguard IT post but I know that others, specifically poster Silence Dogood have noted the ability to change the 2 FA number on the app. I currently am using a Yubikey for access to my account but have also been using the computer restriction to block the use of the mobile app. The IT representative recommended not using the computer restriction option and stated that due to Vanguard’s security changes in most situations it just locks you out of your account and it is necessary to call to regain access. That has also been my experience and 90+% of the time I have to call to get access. I don’t really want to use the computer restriction but was concerned regarding the app security. Any updates on the mobile app?
Thanks.
Drum
Have you disabled security codes (SMS)?
conundrum wrote: Fri Jan 21, 2022 2:39 pm I was able to register 2 security keys and disable the text/SMS option.
(OK, so I believe you have.)

Now, what happens when you attempt to log in using the mobile app?

(Enter your username, password, and answer the security question. What happens next?)
Last edited by Silence Dogood on Mon May 23, 2022 5:30 pm, edited 2 times in total.
Silence Dogood
Posts: 1604
Joined: Tue Feb 01, 2011 9:22 pm

Re: Are Vanguard’s IT Systems At The Breaking Point?

Post by Silence Dogood »

TropikThunder wrote: Fri May 20, 2022 5:39 pm
Silence Dogood wrote: Fri May 20, 2022 10:45 am
TropikThunder wrote: Thu May 19, 2022 12:54 am
Silence Dogood wrote: Wed May 18, 2022 5:12 pm See: Yubikey only at Vanguard now possible.
Silence Dogood wrote: Wed Jul 21, 2021 11:49 am Disappointingly, when I attempt to sign in [using the mobile app], it prompts me to re-enable security codes. There is a drop-down menu that shows my phone number and another option that actually allows me to enter a new phone number to send a security code to.
I notified Vanguard about this security flaw back in July; they still haven't fixed it.
Is this for the old app? I don’t see anywhere to make any sort of security changes on the app. The only profile setting I can make any changes to is “save username: yes or no”. I can’t change my phone number, address, email, bank account, etc.
Worse - this actually occurs before fully signing in, without any two-factor authentication required.
You must have a different version of the app (I'm using 12.12.0.1), I literally cannot do anything before logging in. On the login page there is a link for "Security" but it's informational, and while there is a link to enroll in "security codes" (2FA), you absolutely cannot do anything without logging in - no drop down, etc. Even after I do log in, there still is no way to make any changes like this, you have to go to the web version. I honestly have no idea what you are seeing.
Have you disabled security codes (SMS)?
User avatar
LadyGeek
Site Admin
Posts: 83315
Joined: Sat Dec 20, 2008 5:34 pm
Location: Philadelphia
Contact:

Re: Yubikey only at Vanguard now possible.

Post by LadyGeek »

LadyGeek wrote: Sat May 21, 2022 4:13 pm I merged conundrum's post into the ongoing discussion.

(Thanks to the member who reported the post and provided a link to this thread.)
Additional posts have been moved into here from: Are Vanguard’s IT Systems At The Breaking Point?
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
Silence Dogood
Posts: 1604
Joined: Tue Feb 01, 2011 9:22 pm

Re: Yubikey only at Vanguard now possible.

Post by Silence Dogood »

Silence Dogood wrote: Tue Aug 24, 2021 6:48 pm Here are the things that Vanguard should fix:

...

3. Require the security key for every log in - but stop asking whether or not the device should be recognized.

Apparently Vanguard does require the security key to be used with every log in - which is best practice. However, for whatever reason, Vanguard continues to ask whether or not the device being used is private or public. Whichever option is chosen seems to not have any effect. This is a lower priority issue, since it's more of a design/aesthetic issue, but it should still be fixed.
To Vanguard's credit, they have fixed this specific issue.
User avatar
anon_investor
Posts: 11645
Joined: Mon Jun 03, 2019 1:43 pm

Re: Yubikey only at Vanguard now possible.

Post by anon_investor »

Silence Dogood wrote: Mon May 23, 2022 5:27 pm
Silence Dogood wrote: Tue Aug 24, 2021 6:48 pm Here are the things that Vanguard should fix:

...

3. Require the security key for every log in - but stop asking whether or not the device should be recognized.

Apparently Vanguard does require the security key to be used with every log in - which is best practice. However, for whatever reason, Vanguard continues to ask whether or not the device being used is private or public. Whichever option is chosen seems to not have any effect. This is a lower priority issue, since it's more of a design/aesthetic issue, but it should still be fixed.
To Vanguard's credit, they have fixed this specific issue.
So they fixed the cosmetic annoyance but not the actual security issue...
MrJedi
Posts: 2170
Joined: Wed May 06, 2020 11:42 am

Re: Are Vanguard’s IT Systems At The Breaking Point?

Post by MrJedi »

TropikThunder wrote: Fri May 20, 2022 5:39 pm You must have a different version of the app (I'm using 12.12.0.1), I literally cannot do anything before logging in. On the login page there is a link for "Security" but it's informational, and while there is a link to enroll in "security codes" (2FA), you absolutely cannot do anything without logging in - no drop down, etc. Even after I do log in, there still is no way to make any changes like this, you have to go to the web version. I honestly have no idea what you are seeing.
Enable hardware keys and then disable SMS authentication.

Then go to app and login. Since hardware keys do not work with app, it will ask you for a phone number to use for SMS authentication.

The work around we've been using is to leave SMS as an option but with a Google Voice number that is locked down. Hardware key is still primary method but at least a new phone number can't be entered when logging in with mobile.
User avatar
anon_investor
Posts: 11645
Joined: Mon Jun 03, 2019 1:43 pm

Re: Are Vanguard’s IT Systems At The Breaking Point?

Post by anon_investor »

MrJedi wrote: Mon May 30, 2022 12:26 pm
TropikThunder wrote: Fri May 20, 2022 5:39 pm You must have a different version of the app (I'm using 12.12.0.1), I literally cannot do anything before logging in. On the login page there is a link for "Security" but it's informational, and while there is a link to enroll in "security codes" (2FA), you absolutely cannot do anything without logging in - no drop down, etc. Even after I do log in, there still is no way to make any changes like this, you have to go to the web version. I honestly have no idea what you are seeing.
Enable hardware keys and then disable SMS authentication.

Then go to app and login. Since hardware keys do not work with app, it will ask you for a phone number to use for SMS authentication.

The work around we've been using is to leave SMS as an option but with a Google Voice number that is locked down. Hardware key is still primary method but at least a new phone number can't be entered when logging in with mobile.
Also secure your Google account with your Yubikey and disable unsecured 2FA methods such as SMS.
User avatar
K72
Posts: 236
Joined: Wed Dec 05, 2018 8:04 pm

Re: Yubikey only at Vanguard now possible.

Post by K72 »

Finally got Vanguard 2FA set up using Yubikeys plus GV, and secured Google account with Yubikeys and no SMS 2FA. Confirmed the V mobile app uses GV for SMS 2FA and does not give a choice for another number. Couple of hiccups though:

- When I first tried to set up Yubikeys in Vanguard I already had a key inserted and got an error message. Had to remove the Yubikey and start over. Worked ok then.

- Before installing the mobile app I wanted to validate the phone number change to GV, but couldn't figure out an easy way to do it, so I deleted the Yubikeys, logged out, then logged back in to utilize 2FA SMS to the GV number. I then re-registered the Yubikeys. Kind of convoluted but got the job done
All we want are the facts...
Post Reply