Fidelity Yubikey questions

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills
Post Reply
mind_boggled
Posts: 43
Joined: Sat Jul 16, 2011 4:39 pm

Fidelity Yubikey questions

Post by mind_boggled » Fri Dec 01, 2017 4:51 pm

I saw that Yubikeys support Symantec VIP which I assume means they can be used to log into Fidelity. Does anyone here to that? One thing I'm curious about is whether setting up the Yubikey allows you to still use the phone app or if you can only use one at a time. When I set up the symantec app on my phone I asked the Fidelity rep if I could also register the app on my iPad but they said only one code at a time. So does the Yubikey count as unique code and thus I'd have to de-register my phone app or does the Yubikey use the same code as the app? I'm interested in the Yubikey as a quick backup way to login if I lose or don't have access to my phone, but it defeats the purpose if I have to de-register the phone app to use the Yubikey.

As for how it works I just plug the Yubikey into my mac when I log onto Fidelity.com and it does the rest?

User avatar
tfb
Posts: 7980
Joined: Mon Feb 19, 2007 5:46 pm
Contact:

Re: Fidelity Yubikey questions

Post by tfb » Sat Dec 02, 2017 1:14 am

mind_boggled wrote:
Fri Dec 01, 2017 4:51 pm
I saw that Yubikeys support Symantec VIP which I assume means they can be used to log into Fidelity.
Yubico used to offer a product to the general public that included a Symantec VIP id. The current retail Yubikeys don't have it any more. They only offer custom keys to institutions who distribute the keys to customers or employees.

"Yubico offers YubiKeys configured to work with Symantec VIP two-factor authentication service, allowing the keys to work as a Symantec Security Credential token across supporting sites.

Talk to us to order these custom configured YubiKeys."

https://www.yubico.com/why-yubico/for-b ... /symantec/

Note the for-business part in the URL.
Harry Sit, taking a break from the forums.

brad.clarkston
Posts: 625
Joined: Fri Jan 03, 2014 8:31 pm
Location: Kansas City, MO

Re: Fidelity Yubikey questions

Post by brad.clarkston » Sat Dec 02, 2017 2:02 am

I'm a bit confused on the reason to use Symantec's product as it's not that good for multi-factor.
Just enabling Fidelity's two-factor authentication with your cellphone is as good as Symantec's service.

Yubico works with lots of services. I use one to auto-login to my computers (home and work) and to login into LastPass which logs me into Fidelity so that's two layers plus if I use 2-factor I have three layers.

Not sure much more is needed if they can break that all the power to them.

shiftleft
Posts: 24
Joined: Thu Mar 02, 2017 6:24 pm

Re: Fidelity Yubikey questions

Post by shiftleft » Sat Dec 02, 2017 2:26 am

I use the Symantec VIP client as 2 factor for my Fidelity account. You can have a VIP client on your cell phone, or computer, or a credit card sized device. They each have a different credential ID though, and as far as I know you can't duplicate one. So you can't have a backup device that generates the same one time passwords, nor does Fido let you use 2 different credential IDs. I originally used the cell phone app, but was concerned that if it was stolen, I'd get locked out of my account. Also tried the credit card sized device and it just didn't work so I'm returning it. Ended up just using the app on my computer. If you ever need to change the credential ID, it's pretty easy to call them.

I also looked into a Yubico key and found this:
https://www.yubico.com/support/knowledg ... ock-guide/
but never looked deeper into it.

mind_boggled
Posts: 43
Joined: Sat Jul 16, 2011 4:39 pm

Re: Fidelity Yubikey questions

Post by mind_boggled » Sat Dec 02, 2017 10:19 am

brad.clarkston wrote:
Sat Dec 02, 2017 2:02 am
I'm a bit confused on the reason to use Symantec's product as it's not that good for multi-factor.
Just enabling Fidelity's two-factor authentication with your cellphone is as good as Symantec's service.

Yubico works with lots of services. I use one to auto-login to my computers (home and work) and to login into LastPass which logs me into Fidelity so that's two layers plus if I use 2-factor I have three layers.

Not sure much more is needed if they can break that all the power to them.
Symantec VIP is safer than SMS. There are more ways to intercept SMS messages and this has happened to people.

User avatar
TheTimeLord
Posts: 5284
Joined: Fri Jul 26, 2013 2:05 pm

Re: Fidelity Yubikey questions

Post by TheTimeLord » Sat Dec 02, 2017 10:48 am

brad.clarkston wrote:
Sat Dec 02, 2017 2:02 am
[b]I'm a bit confused on the reason to use Symantec's product as it's not that good for multi-factor. [/b]
Just enabling Fidelity's two-factor authentication with your cellphone is as good as Symantec's service.

Yubico works with lots of services. I use one to auto-login to my computers (home and work) and to login into LastPass which logs me into Fidelity so that's two layers plus if I use 2-factor I have three layers.

Not sure much more is needed if they can break that all the power to them.
This statement requires a little more explanation. How is using a Yubikey superior as a security method? It maybe be more widely used, thus more convenient, but not sure why it would be superior.
IMHO, Investing should be about living the life you want, not avoiding the life you fear. | Run, You Clever Boy! [9085]

diy60
Posts: 180
Joined: Wed Sep 07, 2016 6:54 pm

Re: Fidelity Yubikey questions

Post by diy60 » Sat Dec 02, 2017 11:16 am

brad.clarkston wrote:
Sat Dec 02, 2017 2:02 am
I'm a bit confused on the reason to use Symantec's product as it's not that good for multi-factor.
Just enabling Fidelity's two-factor authentication with your cellphone is as good as Symantec's service.
Certainly not my area of expertise, but please explain/clarify why you believe Symantec VIP is it not that good. I don't see how SMS text messages to my cell phone number (cell phone numbers can and have been hijacked) could be safer than the time based one time passcode based on tokens installed on a single device? I would think the VIP token would be much more secure than SMS texts. My only complaint with Symantec VIP is the application does not offer a password setting for opening the app.

As a side note, I don't think Fidelity supports Yubikey hardware tokens, at least that is what a Fidelity rep told me.

happenstance
Posts: 50
Joined: Sun Jul 26, 2015 11:24 am
Location: NYC

Re: Fidelity Yubikey questions

Post by happenstance » Sat Dec 02, 2017 11:59 am

diy60 wrote:
Sat Dec 02, 2017 11:16 am
brad.clarkston wrote:
Sat Dec 02, 2017 2:02 am
I'm a bit confused on the reason to use Symantec's product as it's not that good for multi-factor.
Just enabling Fidelity's two-factor authentication with your cellphone is as good as Symantec's service.
Certainly not my area of expertise, but please explain/clarify why you believe Symantec VIP is it not that good. I don't see how SMS text messages to my cell phone number (cell phone numbers can and have been hijacked) could be safer than the time based one time passcode based on tokens installed on a single device? I would think the VIP token would be much more secure than SMS texts. My only complaint with Symantec VIP is the application does not offer a password setting for opening the app.

As a side note, I don't think Fidelity supports Yubikey hardware tokens, at least that is what a Fidelity rep told me.
It's unfortunately not too hard for a scammer to trick the mobile phone providers customer support people into giving them access to your account. It usually just requires "verifying" the identity with basic information (SSN, DOB, address, etc.), which is basically semi-public information now given the number of corporate data breaches the past few years. I have multiple friends who have had their phone numbers temporarily stolen/ported away from their provider. (Though the motivation in those instances was not to gain access for SMS/2FA interception).

So SMS verification is definitely the weakest form of two-factor authentication, due to the dependency on third-party companies, but it's certainly better than just single-factor passwords. However all two-factor schemes that require you to manually enter codes are also susceptible to phishing: a bad actor could create a convincing fake website and get you to enter your username, password, and second-factor, which they could harvest and use to compromise your account. Security keys like YubiKey are not susceptible to phishing because there's no manual data entry. The tokens security keys generate are cryptographically tied to the domain name, so they are the strongest form of 2FA.

Security keys > authenticator smartphone apps/physical token generators > SMS codes > single-factor

Cash
Posts: 1344
Joined: Wed Mar 10, 2010 10:52 am

Re: Fidelity Yubikey questions

Post by Cash » Sat Dec 02, 2017 3:59 pm

happenstance wrote:
Sat Dec 02, 2017 11:59 am
a bad actor could create a convincing fake website and get you to enter your username, password, and second-factor, which they could harvest and use to compromise your account.
In the 30 seconds for which the Symantec VIP code is valid (less than that, really, because it takes time to enter)? I guess if they're fast enough...

happenstance
Posts: 50
Joined: Sun Jul 26, 2015 11:24 am
Location: NYC

Re: Fidelity Yubikey questions

Post by happenstance » Sat Dec 02, 2017 5:44 pm

Cash wrote:
Sat Dec 02, 2017 3:59 pm
happenstance wrote:
Sat Dec 02, 2017 11:59 am
a bad actor could create a convincing fake website and get you to enter your username, password, and second-factor, which they could harvest and use to compromise your account.
In the 30 seconds for which the Symantec VIP code is valid (less than that, really, because it takes time to enter)? I guess if they're fast enough...
Sure. There's no reason why the process couldn't be entirely automated/scripted.

overthought
Posts: 203
Joined: Tue Oct 17, 2017 3:44 am

Re: Fidelity Yubikey questions

Post by overthought » Sat Dec 02, 2017 7:11 pm

happenstance wrote:
Sat Dec 02, 2017 5:44 pm
Cash wrote:
Sat Dec 02, 2017 3:59 pm
happenstance wrote:
Sat Dec 02, 2017 11:59 am
a bad actor could create a convincing fake website and get you to enter your username, password, and second-factor, which they could harvest and use to compromise your account.
In the 30 seconds for which the Symantec VIP code is valid (less than that, really, because it takes time to enter)? I guess if they're fast enough...
Sure. There's no reason why the process couldn't be entirely automated/scripted.
They could only get in once at most. Once is bad, sure, but not as bad as them having unfettered access to your account for an indefinite time period going forward.

brad.clarkston
Posts: 625
Joined: Fri Jan 03, 2014 8:31 pm
Location: Kansas City, MO

Re: Fidelity Yubikey questions

Post by brad.clarkston » Sat Dec 02, 2017 7:59 pm

mind_boggled wrote:
Sat Dec 02, 2017 10:19 am
brad.clarkston wrote:
Sat Dec 02, 2017 2:02 am
I'm a bit confused on the reason to use Symantec's product as it's not that good for multi-factor.
Just enabling Fidelity's two-factor authentication with your cellphone is as good as Symantec's service.

Yubico works with lots of services. I use one to auto-login to my computers (home and work) and to login into LastPass which logs me into Fidelity so that's two layers plus if I use 2-factor I have three layers.

Not sure much more is needed if they can break that all the power to them.
Symantec VIP is safer than SMS. There are more ways to intercept SMS messages and this has happened to people.
As a former employee, not so much. I would and do run other companies multi-factor over Symantec's as it's probably the weakest form out there. I've always been baffled by people that hear the word "Symantec" and think it's a good product. After Peter Norton left it stopped creating decent software.

SMS interception does not work like OTA TV or radio all of the cell carriers and third part providers use A5/1 or A5/3 encryption to send SMS out by LTE or wifi which is amazingly fast so you would have to capture the encrypted password in a few milliseconds which doesn't happen to A5/1 very often and hasn't with A5/3 outside of academic labs setup just for doing it as far as I know and I do try to keep up with that sort of thing being in the field.

The issue is that it's just GSM encryption of the outgoing data so if a person has allowed someone to compromise the phone via and an app or a OK button then yea they have access to all of your SMS data and so far no one has been able to fix stupid or just ignorance.

I do agree two-factor is not the best way to authenticate network access do to user issues. Multi-factor is better but picking a decent one seems to be harder than I thought for most people.

brad.clarkston
Posts: 625
Joined: Fri Jan 03, 2014 8:31 pm
Location: Kansas City, MO

Re: Fidelity Yubikey questions

Post by brad.clarkston » Sat Dec 02, 2017 8:08 pm

happenstance wrote:
Sat Dec 02, 2017 11:59 am

It's unfortunately not too hard for a scammer to trick the mobile phone providers customer support people into giving them access to your account. It usually just requires "verifying" the identity with basic information (SSN, DOB, address, etc.), which is basically semi-public information now given the number of corporate data breaches the past few years. I have multiple friends who have had their phone numbers temporarily stolen/ported away from their provider. (Though the motivation in those instances was not to gain access for SMS/2FA interception).

It's not as easy as you think to scam a carrier we actively mine for attacks like that. One of the best is requiring you to be using the phone you want info on so that we can verify the hardware mac address and radio sim if the customer support person thinks something is wrong. That is being taught and re-taught more and more as there is more the CS than just selling a product.


So SMS verification is definitely the weakest form of two-factor authentication, due to the dependency on third-party companies, but it's certainly better than just single-factor passwords. However all two-factor schemes that require you to manually enter codes are also susceptible to phishing: a bad actor could create a convincing fake website and get you to enter your username, password, and second-factor, which they could harvest and use to compromise your account. Security keys like YubiKey are not susceptible to phishing because there's no manual data entry. The tokens security keys generate are cryptographically tied to the domain name, so they are the strongest form of 2FA.

Security keys > authenticator smartphone apps/physical token generators > SMS codes > single-factor

While I agree in general that multi-factor keys are better your overlooking the human factor. That keyfob doesn't do you any good if the device your using it on is already compromised by user interaction which is how they get you 99.9% of the time. The myth of the "super hacker" is just that a movie myth most of the time it's just social engineering at work.

Two party authentication is fine if the user knows what they are doing. While multi-factor is just as prone to attack if the user just blindly thinks it's the best.


happenstance
Posts: 50
Joined: Sun Jul 26, 2015 11:24 am
Location: NYC

Re: Fidelity Yubikey questions

Post by happenstance » Sun Dec 03, 2017 11:14 am

brad.clarkston wrote:
Sat Dec 02, 2017 8:08 pm
happenstance wrote:
Sat Dec 02, 2017 11:59 am

It's unfortunately not too hard for a scammer to trick the mobile phone providers customer support people into giving them access to your account. It usually just requires "verifying" the identity with basic information (SSN, DOB, address, etc.), which is basically semi-public information now given the number of corporate data breaches the past few years. I have multiple friends who have had their phone numbers temporarily stolen/ported away from their provider. (Though the motivation in those instances was not to gain access for SMS/2FA interception).

It's not as easy as you think to scam a carrier we actively mine for attacks like that. One of the best is requiring you to be using the phone you want info on so that we can verify the hardware mac address and radio sim if the customer support person thinks something is wrong. That is being taught and re-taught more and more as there is more the CS than just selling a product.
It's good and important that CS reps are being trained better, but it has been (and I think will continue to be) possible to take advantage of helpful customer service reps. As you note, this is the social engineering/human factor, and I don't think it's possible to entirely mitigate it.
brad.clarkston wrote:
Sat Dec 02, 2017 8:08 pm
happenstance wrote:
Sat Dec 02, 2017 11:59 am
So SMS verification is definitely the weakest form of two-factor authentication, due to the dependency on third-party companies, but it's certainly better than just single-factor passwords. However all two-factor schemes that require you to manually enter codes are also susceptible to phishing: a bad actor could create a convincing fake website and get you to enter your username, password, and second-factor, which they could harvest and use to compromise your account. Security keys like YubiKey are not susceptible to phishing because there's no manual data entry. The tokens security keys generate are cryptographically tied to the domain name, so they are the strongest form of 2FA.

Security keys > authenticator smartphone apps/physical token generators > SMS codes > single-factor

While I agree in general that multi-factor keys are better your overlooking the human factor. That keyfob doesn't do you any good if the device your using it on is already compromised by user interaction which is how they get you 99.9% of the time. The myth of the "super hacker" is just that a movie myth most of the time it's just social engineering at work.

Two party authentication is fine if the user knows what they are doing. While multi-factor is just as prone to attack if the user just blindly thinks it's the best.

I think you're escalating the argument here unnecessarily. Practicing good computer security hygiene is a prerequisite for having strong account security, because if your local computer/device is compromised, then yes, additional security measures may be rendered ineffective: it is foundational.

In a discussion of account security, two-factor authentication adds a significant barrier to attackers. If you have an account you want to protect, enabling 2FA is a smart thing to do. If the account provider only offers SMS codes, then by all means use that method. But if there are stronger options available (authenticator apps/key fobs or security keys), those provide increasingly better security protections because they eliminate some third-party risk of the phone company. They also work when you don't have cell coverage (like when traveling internationally).

The best option, security keys, also eliminates phishing risk. And it's convenient that the strongest option is also the easiest for people to understand and use. You just insert the key and press a button when the website prompts for it. There's no rush to enter six or eight digits within a 30-60 second window.
overthought wrote:
Sat Dec 02, 2017 7:11 pm
happenstance wrote:
Sat Dec 02, 2017 5:44 pm
Cash wrote:
Sat Dec 02, 2017 3:59 pm
happenstance wrote:
Sat Dec 02, 2017 11:59 am
a bad actor could create a convincing fake website and get you to enter your username, password, and second-factor, which they could harvest and use to compromise your account.
In the 30 seconds for which the Symantec VIP code is valid (less than that, really, because it takes time to enter)? I guess if they're fast enough...
Sure. There's no reason why the process couldn't be entirely automated/scripted.
They could only get in once at most. Once is bad, sure, but not as bad as them having unfettered access to your account for an indefinite time period going forward.
Once is enough to change the email address, password, and disable 2FA. At least with financial institutions, as opposed to other types of digital accounts, the real damaging operations (e.g., transferring assets) require a few days for the account trial deposits. That would give you some time to contact the institution and regain control.

Cash
Posts: 1344
Joined: Wed Mar 10, 2010 10:52 am

Re: Fidelity Yubikey questions

Post by Cash » Sun Dec 03, 2017 1:30 pm

happenstance wrote:
Sun Dec 03, 2017 11:14 am
Once is enough to change the email address, password, and disable 2FA.
No, you have to call in (and hopefully get past voice verification) to disable 2FA.

diy60
Posts: 180
Joined: Wed Sep 07, 2016 6:54 pm

Re: Fidelity Yubikey questions

Post by diy60 » Sun Dec 03, 2017 3:23 pm

Cash wrote:
Sun Dec 03, 2017 1:30 pm
happenstance wrote:
Sun Dec 03, 2017 11:14 am
Once is enough to change the email address, password, and disable 2FA.
No, you have to call in (and hopefully get past voice verification) to disable 2FA.
+1 pertaining to Fidelity, but I think I've seen in other threads Vanguard customers can disable 2FA online, which may be why the Fidelity scenario is constantly misstated. The other potential misinformation I often see, at least regarding Fidelity, is the baddies getting your ID and password by looking in your email once they hijack and reroute your phone number. None of the emails from my financial institutions, including Fidelity, contain ID or passwords. The emails simply state I have a new message or statement in my secure online mailbox or message center. My banking, 401K, and investment brokerages are all set up this way.

happenstance
Posts: 50
Joined: Sun Jul 26, 2015 11:24 am
Location: NYC

Re: Fidelity Yubikey questions

Post by happenstance » Sun Dec 03, 2017 5:01 pm

diy60 wrote:
Sun Dec 03, 2017 3:23 pm
Cash wrote:
Sun Dec 03, 2017 1:30 pm
happenstance wrote:
Sun Dec 03, 2017 11:14 am
Once is enough to change the email address, password, and disable 2FA.
No, you have to call in (and hopefully get past voice verification) to disable 2FA.
+1 pertaining to Fidelity, but I think I've seen in other threads Vanguard customers can disable 2FA online, which may be why the Fidelity scenario is constantly misstated.
Ah, sorry, yes I was going based off Vanguard (don't have a Fido account). That's good of Fidelity then. At Vanguard I think you can still disable it online (though I'd have to remove all my security keys to check).

overthought
Posts: 203
Joined: Tue Oct 17, 2017 3:44 am

Re: Fidelity Yubikey questions

Post by overthought » Mon Dec 04, 2017 9:06 am

happenstance wrote:
Sun Dec 03, 2017 11:14 am
overthought wrote:
Sat Dec 02, 2017 7:11 pm
happenstance wrote:
Sat Dec 02, 2017 5:44 pm
Cash wrote:
Sat Dec 02, 2017 3:59 pm
happenstance wrote:
Sat Dec 02, 2017 11:59 am
a bad actor could create a convincing fake website and get you to enter your username, password, and second-factor, which they could harvest and use to compromise your account.
In the 30 seconds for which the Symantec VIP code is valid (less than that, really, because it takes time to enter)? I guess if they're fast enough...
Sure. There's no reason why the process couldn't be entirely automated/scripted.
They could only get in once at most. Once is bad, sure, but not as bad as them having unfettered access to your account for an indefinite time period going forward.
Once is enough to change the email address, password, and disable 2FA. At least with financial institutions, as opposed to other types of digital accounts, the real damaging operations (e.g., transferring assets) require a few days for the account trial deposits. That would give you some time to contact the institution and regain control.
In an ideal world (which admittedly doesn't necessarily exist at YourBroker.com), changing account information or performing other damaging operations would follow the age-old protocol of requiring a user to re-enter their credentials (including 2FA, since 2FA was used to login). If I get phished into supplying credentials once to a man-in-the-middle, the attacker wouldn't be able to supply the second code or button press required to do the really bad stuff (and they wouldn't be able to get back in later).

Of course, if that security practice became common, the fake web sites would probably start presenting "login failure, please retry" scenarios in order to elicit the second set of credentials.

Which really just highlights the fact that the industry as a whole lacks effective MiTM protection for account security. In fact, I would argue that's the reason the classic phishing attack, that redirects you to yourbroker.com.ru, is even possible in the first place.

User avatar
TimeRunner
Posts: 1427
Joined: Sat Dec 29, 2012 9:23 pm

Re: Fidelity Yubikey questions

Post by TimeRunner » Thu Oct 11, 2018 10:22 pm

To wake up an old thread, what's the current best way to secure a Fido account?
“Some depart to remain.”

shiftleft
Posts: 24
Joined: Thu Mar 02, 2017 6:24 pm

Re: Fidelity Yubikey questions

Post by shiftleft » Thu Oct 11, 2018 11:10 pm

Still using the Symantec VIP app and a long password.

Chip
Posts: 2371
Joined: Wed Feb 21, 2007 4:57 am

Re: Fidelity Yubikey questions

Post by Chip » Fri Oct 12, 2018 4:28 am

shiftleft wrote:
Thu Oct 11, 2018 11:10 pm
Still using the Symantec VIP app and a long password.
Me too. I thought that using the VIP app would be a pain, but it's not. By the time I've navigated to the Fido web site and had Keepass autotype my password, I've been able to find my phone, enter my PIN to unlock it, open the app and get the code. So on balance it probably only takes me the extra 5 seconds required to type in the code and wait for Fido to accept it.

DW and I also have done the voice print thingie with Fidelity.

Post Reply