Vanguard's new security key option

Discuss all general (i.e. non-personal) investing questions and issues, investing news, and theory.
User avatar
siamond
Posts: 3295
Joined: Mon May 28, 2012 5:50 am

Re: Vanguard's new security key option

Post by siamond » Tue Jul 04, 2017 11:29 am

Received my Yubikey, activated Vanguard (and Dropbox and LastPass too) with it, works well.

As a side note, this is a nice 20% off deal today, too bad I missed it:
https://www.yubico.com/2-factor-tuesday/?fb2

PS. Just read that "Promo is live on the first Tuesday of every month"

sred5
Posts: 2
Joined: Thu Dec 03, 2015 9:55 pm

Re: Vanguard's new security key option

Post by sred5 » Wed Aug 09, 2017 7:04 pm

I give Vanguard tremendous applause for taking this step!

I am really surprised at the number of negative comments regarding Vanguard's implementation of Yubico FIDO/U2F security keys.

In terms of browser support, Firefox is supported, but there is currently a Firefox addon to make this work.

In terms of Windows loading drivers, that's done behind the scenes with the latter versions of Windows and it's not an issue. Your keyboard and mouse have drivers too, and those are needed to type in your login/password.

In terms of the complaints over having SMS as a backup, mt is correct in noting, "If I am not mistaken when you called they would ask you for your verbal password, assuming you have one. So that would seem to be more secure than just an SMS code." Voice-verification is another common security layer when calling Vanguard. If anyone can call Vanguard, pretend they are Joe Smith and tell Vanguard to drop the Yubico keys from Joe's login process, then there is a much bigger security hole, which is that they have assumed Joe Smith's identity and can do much more to his account.

More than anything, I think that we should really be thanking Vanguard. Vanguard leapfrogged over many other institutions with this one move in terms of security. For the future, we might ask if Vanguard could consider dropping the SMS security code as a backup if we have 3 or 4 YubiKeys registered?

For now, we should simply say, "Thank You Vanguard - this is an enormously positive step in terms of security - your tech guys deserve a lot of credit!"

jalbert
Posts: 2079
Joined: Fri Apr 10, 2015 12:29 am

Re: Vanguard's new security key option

Post by jalbert » Wed Aug 09, 2017 11:24 pm

heartwood wrote:Is there a link to an explanation of why Yubikey is preferable to the current 2-factor method of receiving a code?
Here's an actual example of someone breaking someone's 2-factor SMS via social engineering and compromising the victim's Paypal account:

https://www.theregister.co.uk/2017/07/1 ... er_tricks/

Unfortunately, Vanguard still can't seem to get the security engineering for authentication right. Because SMS is retained as a backup method, if an attacker breaks your SMS, they just go around the need to use the yubikey by requesting an SMS code, so that the addition of the yubikey as a 2nd point of attack makes the overall protocol slightly weaker than just having SMS.
Risk is not a guarantor of return.

User avatar
siamond
Posts: 3295
Joined: Mon May 28, 2012 5:50 am

Re: Vanguard's new security key option

Post by siamond » Sat Aug 12, 2017 9:16 pm

jalbert wrote:
Wed Aug 09, 2017 11:24 pm
Unfortunately, Vanguard still can't seem to get the security engineering for authentication right. Because SMS is retained as a backup method, if an attacker breaks your SMS, they just go around the need to use the yubikey by requesting an SMS code, so that the addition of the yubikey as a 2nd point of attack makes the overall protocol slightly weaker than just having SMS.
This seems a little harsh. Have you considered that Vanguard may have decided to keep the SMS backup method for a little while, until a good number of their customers got used to the Yubikey process and until corresponding kinks have been sorted out? And then and only then will switch to a more secure way of proceeding, with no backdoor (as you rightfully mention)? If I were a pragmatic Vanguard Product Manager, I would certainly have considered such one-step-at-a-time approach.

Personally, I applaud Vanguard for making a great step towards more security. I certainly hope they will go one step further, but that is definite progress.

jalbert
Posts: 2079
Joined: Fri Apr 10, 2015 12:29 am

Re: Vanguard's new security key option

Post by jalbert » Sun Aug 13, 2017 2:03 pm

This seems a little harsh. Have you considered that Vanguard may have decided to keep the SMS backup method for a little while, until a good number of their customers got used to the Yubikey process and until corresponding kinks have been sorted out?
It should not be made available to all customers before kinks have been sorted out. Otherwise, that would just be throwing another flawed process into the mix.
Risk is not a guarantor of return.

User avatar
dmcmahon
Posts: 1854
Joined: Fri Mar 21, 2008 10:29 pm

Re: Vanguard's new security key option

Post by dmcmahon » Sat Sep 09, 2017 6:41 pm

Flymore wrote:
Mon Jan 02, 2017 8:41 pm
smartinwate wrote:In looking at Yubico's web site, I'm a bit confused. Their sales blurbs state that "no drivers or software" are necessary to use the FIDO U2F key; however, also according to their site:
You may experience a slight delay when registering a key for the first time, as your computer will need to install the driver software.
That bit about "install the driver software" would seem to imply a requirement for Microsoft Windows, and I absolutely refuse to do any online financial work using Windows.

I second that!!!!!!!
I'll third that. I never, ever do financial stuff on a Windows box. Too many drive-by malware incidents in the past, and I fear key loggers. That said, they claim the yubikey works on Linux and Mac.

User avatar
siamond
Posts: 3295
Joined: Mon May 28, 2012 5:50 am

Re: Vanguard's new security key option

Post by siamond » Sat Sep 09, 2017 7:49 pm

dmcmahon wrote:
Sat Sep 09, 2017 6:41 pm
I'll third that. I never, ever do financial stuff on a Windows box. Too many drive-by malware incidents in the past, and I fear key loggers. That said, they claim the yubikey works on Linux and Mac.
Don't know about Linux, but it works perfectly well on my Mac.

User avatar
pokebowl
Posts: 49
Joined: Sat Dec 17, 2016 7:22 pm

Re: Vanguard's new security key option

Post by pokebowl » Sat Sep 09, 2017 11:32 pm

dmcmahon wrote:
Sat Sep 09, 2017 6:41 pm

I'll third that. I never, ever do financial stuff on a Windows box. Too many drive-by malware incidents in the past, and I fear key loggers. That said, they claim the yubikey works on Linux and Mac.
If you truly feel Linux or Mac are more secure than say windows... All I need is ~5 minutes with your machine locally or ~30 minutes remote and I'll guarantee I'll be able to get to your data :beer. I used to do host-based and network based black box penetration testing as a consultant for years, I've seen and done it all. Most systems are vulnerable at some layer, just some appear worse off than others due to their footprint in the market. Worse case for truly secure environments, you just hack the human behind the screen.

From a financial standpoint, current malware campaigns targeting users for financial gain are operating system agnostic, targeting users specifically via mobile app stores, browser plugins, and unpatched software (Adobe/Java). The majority focuses on pop-ups and phishing emails to drop ransomware or deliver whatever variant of zeus, dridex, or trickbot is currently out there.

I personally use windows based operating systems for my financial needs, last virus/malware infection I ever received was intentional and back in 2005. :mrgreen: Alright I'll get off my soap box now.

User avatar
StevieG72
Posts: 531
Joined: Wed Feb 05, 2014 9:00 pm

Re: Vanguard's new security key option

Post by StevieG72 » Sun Sep 10, 2017 4:24 pm

I am intrigued by the security key option, but dissapointed that SMS may not be disabled at this time.

Apparently SMS is reserved for not having the security key OR logging in from a mobile device. So you would not have to call to request the SMS I am assuming. Folks that already have security keys can verify.

I did notice that Vangaurd offers you to restrict access to your account to recognized devices only. I like this option since I only use a few devices to log in to Vangaurd. Negative is if you clear your browser history, Vangaurd will not recognize your device anymore. If you have the Vangaurd App on your device clearing browser history has no impact.

Security Key would be a great addition if it allows you to log on to unrecognized devices. Otherwise if you have a unsupported device you would need to log in on a supported device, change settings to allow new device, and then switch back to only recognized devices.

I am not sure if security key allows this or not, any key holders have input?
Fools think their own way is right, but the wise listen to others.

Afty
Posts: 484
Joined: Sun Sep 07, 2014 5:31 pm

Re: Vanguard's new security key option

Post by Afty » Sun Sep 10, 2017 7:27 pm

Yubico security keys work on Linux and Mac as well as Windows. I use them on all 3 platforms for my work. See https://www.yubico.com/products/yubikey ... bikey-neo/

User avatar
nisiprius
Advisory Board
Posts: 33790
Joined: Thu Jul 26, 2007 9:33 am
Location: The terrestrial, globular, planetary hunk of matter, flattened at the poles, is my abode.--O. Henry

Re: Vanguard's new security key option

Post by nisiprius » Sun Sep 10, 2017 7:46 pm

Does Yubikey embody some kind of industry standard that makes it likely that it will work with "everyone" when they get around to it... or do we have a zoo of proprietary devices, so that anyone seeking security will end up with a physical keyring containing half-a-dozen different fobs, a different one for every financial firm?
Annual income twenty pounds, annual expenditure nineteen nineteen and six, result happiness; Annual income twenty pounds, annual expenditure twenty pounds ought and six, result misery.

User avatar
modal
Posts: 1241
Joined: Tue Feb 20, 2007 3:57 pm
Location: USA

Re: Vanguard's new security key option

Post by modal » Sun Sep 10, 2017 9:48 pm

Are there any details on how this is implemented and how to get it set up?

fatcharlie
Posts: 26
Joined: Wed Aug 06, 2014 11:25 am

Re: Vanguard's new security key option

Post by fatcharlie » Mon Sep 11, 2017 12:00 pm

For someone who's using the U2F option, can you still download OFX files without problems? (e.g. via Mint, Quicken or whatever)

hlfo718
Posts: 754
Joined: Wed Dec 01, 2010 9:17 am
Location: NYC

Re: Vanguard's new security key option

Post by hlfo718 » Mon Sep 11, 2017 1:08 pm

Hypothetically, if the hacker has your ID and PW, couldn't they still by pass the Yubikey and log into the account? I think this is the same for Gmail since they have the option for users to use the SMS option in case you lose your key. Off course this may be too much work for the hacker to spend to get one account.

User avatar
oldcomputerguy
Posts: 1654
Joined: Sun Nov 22, 2015 6:50 am
Location: In the middle of five acres of woods

Re: Vanguard's new security key option

Post by oldcomputerguy » Mon Sep 11, 2017 1:21 pm

nisiprius wrote:
Sun Sep 10, 2017 7:46 pm
Does Yubikey embody some kind of industry standard that makes it likely that it will work with "everyone" when they get around to it
According to Yubikey's web site:
U2F is an open authentication standard that enables internet users to securely access any number of online services, with one single device, instantly and with no drivers, or client software needed.

Click here for a list of featured services that use FIDO U2F.

U2F was created by Google and Yubico, and support from NXP, with the vision to take strong public key crypto to the mass market. Today, the technical specifications are hosted by the open-authentication industry consortium known as the FIDO Alliance. U2F has been successfully deployed by large scale services, including Gmail, Dropbox, GitHub, Salesforce.com, the UK government, and many more.
Anybody know why there's a 20-pound frozen turkey up in the light grid?

User avatar
oldcomputerguy
Posts: 1654
Joined: Sun Nov 22, 2015 6:50 am
Location: In the middle of five acres of woods

Re: Vanguard's new security key option

Post by oldcomputerguy » Mon Sep 11, 2017 1:24 pm

siamond wrote:
Sat Sep 09, 2017 7:49 pm
dmcmahon wrote:
Sat Sep 09, 2017 6:41 pm
I'll third that. I never, ever do financial stuff on a Windows box. Too many drive-by malware incidents in the past, and I fear key loggers. That said, they claim the yubikey works on Linux and Mac.
Don't know about Linux, but it works perfectly well on my Mac.
Works on Linux too. Just upgraded my home box to Mint 18.2, and gave Yubikey another try. Once I downloaded the needed rules file from Github and put it in /etc/udev/rules.d, the key worked out of the box. Setup with Vanguard went flawlessly.
Anybody know why there's a 20-pound frozen turkey up in the light grid?

User avatar
nisiprius
Advisory Board
Posts: 33790
Joined: Thu Jul 26, 2007 9:33 am
Location: The terrestrial, globular, planetary hunk of matter, flattened at the poles, is my abode.--O. Henry

Re: Vanguard's new security key option

Post by nisiprius » Mon Sep 11, 2017 8:06 pm

On closer inspection, the pictures of the Yubikeys appear to have a set of physical contacts.

In fact it says "USB-A," whatever that is.

Uh, what IS USB-A by the way? I've heard of USB 1.0, 1.1, 2.0, 3.0 but never USB standards with letters.

Is this some miserable kind of dongle that needs to be physically inserted into an appropriate computer port? Does that mean that I can't move it around between my computer, my tablet (Micro-USB), and my smartphone (Micro-USB)?

Why doesn't it just display a visible code like the security-token-thingy used by my friend who works for a (non-Vanguard) mutual fund company?

Image
Annual income twenty pounds, annual expenditure nineteen nineteen and six, result happiness; Annual income twenty pounds, annual expenditure twenty pounds ought and six, result misery.

User avatar
VictoriaF
Posts: 17187
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: Vanguard's new security key option

Post by VictoriaF » Mon Sep 11, 2017 8:22 pm

nisiprius wrote:
Mon Sep 11, 2017 8:06 pm
On closer inspection, the pictures of the Yubikeys appear to have a set of physical contacts.

In fact it says "USB-A," whatever that is.

Uh, what IS USB-A by the way? I've heard of USB 1.0, 1.1, 2.0, 3.0 but never USB standards with letters.
Yubico has pictures of USB-A and USB-C form factors on this page:
https://www.yubico.com/products/yubikey ... /yubikey4/

After reading Amazon reviews I have also purchased "Conwork 2-Pack High-Speed USB 3.0 Male to Female Coupler Type A Extender Connection Adapter". Its purpose is to reduce wear and tear on the YubiKey from repeated insertion and removal.

Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

User avatar
StevieG72
Posts: 531
Joined: Wed Feb 05, 2014 9:00 pm

Re: Vanguard's new security key option

Post by StevieG72 » Tue Sep 12, 2017 4:35 pm

So I checked with Vangaurd and they informed me that to use a security key Vanguard must recognize the computer.

If you have your account set to allow log on from recognized computers only, the security key will not allow you to log in to a computer that has not already been identified.

I would prefer to be able to log in to unrecognized computers if security key is present.

Seems like the security key is an option to use but does not add much utility or additional security.
Fools think their own way is right, but the wise listen to others.

sketchy9
Posts: 114
Joined: Mon Oct 25, 2010 2:10 pm

Re: Vanguard's new security key option

Post by sketchy9 » Wed Sep 13, 2017 11:57 pm

StevieG72 wrote:
Tue Sep 12, 2017 4:35 pm
So I checked with Vangaurd and they informed me that to use a security key Vanguard must recognize the computer.

If you have your account set to allow log on from recognized computers only, the security key will not allow you to log in to a computer that has not already been identified.

I would prefer to be able to log in to unrecognized computers if security key is present.

Seems like the security key is an option to use but does not add much utility or additional security.
Yes that seems completely contrary to what it should be used for. If a hacker is trying to login from an unrecognized computer, I WANT Vanguard to enforce a key.

redstar
Posts: 28
Joined: Thu Jul 13, 2017 11:15 pm

Re: Vanguard's new security key option

Post by redstar » Thu Sep 14, 2017 1:10 am

Does anyone know if Mint/Personal Capital/etc can still import data if I have the security key enabled?

2bitwise
Posts: 37
Joined: Thu Jan 22, 2009 11:23 pm

Re: Vanguard's new security key option

Post by 2bitwise » Fri Sep 15, 2017 9:27 pm

I just log in with my user name and PW at the moment. Had the security picture before they stopped it. I have no other options selected. My doctor uses a security key when logging on to his system and it got me thinking. I need some advice on my next security step. I have regular phone service at home and no cell phone.
1) I want to use the security key (Yubikey)
2) I frequently clear my browser cache. If I switch to recognize this device only,will that still work? Or will I be locked out?
3) Do they send the SMS codes in voice also? That would work on my regular landline phone. If they send the SMS blurp to my regular phone (I couldn't read it) can I just ignore it and then use the key to finish logging in?
4) With SMS and the key installed, can I just use they key only? Do I have to have the SMS code first, before I can install the key?
I went to the Vanguard site and searched "security" "security keys" and basically came up with nothing. Also currently after I log off they recommend clearing my browser cache. (see #2).
To me, all this is a mess. So any help walking me through this would be appreciated.

bogglizer
Posts: 68
Joined: Tue Aug 16, 2016 8:56 pm

Re: Vanguard's new security key option

Post by bogglizer » Fri Sep 15, 2017 10:20 pm

Can't I fix the SMS back door by removing any cell numbers from my account?

playmisty
Posts: 6
Joined: Thu Apr 28, 2016 5:12 pm

Re: Vanguard's new security key option

Post by playmisty » Fri Sep 15, 2017 11:43 pm

bogglizer wrote:
Fri Sep 15, 2017 10:20 pm
Can't I fix the SMS back door by removing any cell numbers from my account?
I'm pretty sure you need at least one phone number associated with your account. When you set up the security code portion, there's an option to receive an automated call at the number provided (instead of a text). I've not tried this myself, but I assume that you could use a landline there.
2bitwise wrote:
Fri Sep 15, 2017 9:27 pm
I just log in with my user name and PW at the moment. Had the security picture before they stopped it. I have no other options selected. My doctor uses a security key when logging on to his system and it got me thinking. I need some advice on my next security step. I have regular phone service at home and no cell phone.
1) I want to use the security key (Yubikey)
2) I frequently clear my browser cache. If I switch to recognize this device only,will that still work? Or will I be locked out?
3) Do they send the SMS codes in voice also? That would work on my regular landline phone. If they send the SMS blurp to my regular phone (I couldn't read it) can I just ignore it and then use the key to finish logging in?
4) With SMS and the key installed, can I just use they key only? Do I have to have the SMS code first, before I can install the key?
I went to the Vanguard site and searched "security" "security keys" and basically came up with nothing. Also currently after I log off they recommend clearing my browser cache. (see #2).
To me, all this is a mess. So any help walking me through this would be appreciated.
For your #2, I do the same thing, my browser deletes all data when I close out of it. I don't have my Vanguard account set to recognized devices only, but I do have it set so that it needs the security key every time I log in.
#3 as mentioned above, you have the option to be contacted by an automated call instead of a text.
#4 when you have the security keys set up, you would use the security key (with username and password) to log in. Although, if you are using a browser that doesn't support these keys, you would need to use the SMS code/automated call option.

To start setting this up, if you go to Account Maintenance, you should see the options for security codes and security codes near the bottom. Hope this helps!
:sharebeer

Silence Dogood
Posts: 698
Joined: Tue Feb 01, 2011 9:22 pm

Re: Vanguard's new security key option

Post by Silence Dogood » Sat Sep 16, 2017 12:48 am

sketchy9 wrote:
Wed Sep 13, 2017 11:57 pm
StevieG72 wrote:
Tue Sep 12, 2017 4:35 pm
So I checked with Vangaurd and they informed me that to use a security key Vanguard must recognize the computer.

If you have your account set to allow log on from recognized computers only, the security key will not allow you to log in to a computer that has not already been identified.

I would prefer to be able to log in to unrecognized computers if security key is present.

Seems like the security key is an option to use but does not add much utility or additional security.
Yes that seems completely contrary to what it should be used for. If a hacker is trying to login from an unrecognized computer, I WANT Vanguard to enforce a key.
If you would prefer to be able to log in from unrecognized devices when a security key is present, then you should allow access to your account from unrecognized devices but change your security code/key settings so that you're required to use the security key each time you log on.

Doesn't this lead to your desired result?

If you go into the Vanguard security code/key settings there is an option to require the code/key each time you log on, regardless of whether or not the device is recognized.

Restricting access to recognized devices means only recognized devices can gain access. In other words, there is no accessing your account via unrecognized devices even if you have you're security key with you.

I have my account set up to restrict access to recognized devices (one computer is recognized) and to require a security code regardless of whether the device is recognized.

Silence Dogood
Posts: 698
Joined: Tue Feb 01, 2011 9:22 pm

Re: Vanguard's new security key option

Post by Silence Dogood » Sat Sep 16, 2017 1:03 am

2bitwise wrote:
Fri Sep 15, 2017 9:27 pm
I just log in with my user name and PW at the moment. Had the security picture before they stopped it. I have no other options selected. My doctor uses a security key when logging on to his system and it got me thinking. I need some advice on my next security step. I have regular phone service at home and no cell phone.
1) I want to use the security key (Yubikey)
2) I frequently clear my browser cache. If I switch to recognize this device only,will that still work? Or will I be locked out?
3) Do they send the SMS codes in voice also? That would work on my regular landline phone. If they send the SMS blurp to my regular phone (I couldn't read it) can I just ignore it and then use the key to finish logging in?
4) With SMS and the key installed, can I just use they key only? Do I have to have the SMS code first, before I can install the key?
I went to the Vanguard site and searched "security" "security keys" and basically came up with nothing. Also currently after I log off they recommend clearing my browser cache. (see #2).
To me, all this is a mess. So any help walking me through this would be appreciated.
It's not the cache, it's the cookies.

I use a Firefox add-on called "Self-Destructing Cookies" that automatically deletes cookies for all sites I visit except for those I have white listed. I also have my Firefox settings set to clear cache whenever I close the program.

2bitwise
Posts: 37
Joined: Thu Jan 22, 2009 11:23 pm

Re: Vanguard's new security key option

Post by 2bitwise » Sat Sep 16, 2017 8:20 pm

I am making progress here-got the security code set up and I get a voice message,so that works.
The yubikey FIDO U2F is on order and I will install it. So then, by setting sec code to not every time, I can only use key?
(which is what I want). Apparently the "this device only" works by storing a cookie in the browser. I'll have figure out how to except that in Chrome when clearing history (cookies/cache). So,so far so good!

User avatar
Rob5TCP
Posts: 2901
Joined: Tue Jun 05, 2007 7:34 pm
Location: New York, NY

Re: Vanguard's new security key option

Post by Rob5TCP » Wed Sep 20, 2017 12:31 pm

I am looking at the new security key options.
Amazon has this one:

https://www.amazon.com/Yubico-Y-158-Yub ... curity+key

Also on the site is this one at half the price
and under questions answered says it works with Vanguard
anyone have any experience with it -

https://www.amazon.com/Thetis-Universal ... MHQBV5#Ask

the reviews were better than the Yuba Key

User avatar
tfb
Posts: 7672
Joined: Mon Feb 19, 2007 5:46 pm
Contact:

Re: Vanguard's new security key option

Post by tfb » Wed Sep 20, 2017 8:04 pm

Rob5TCP wrote:
Wed Sep 20, 2017 12:31 pm
I am looking at the new security key options.
Amazon has this one:

https://www.amazon.com/Yubico-Y-158-Yub ... curity+key

Also on the site is this one at half the price
and under questions answered says it works with Vanguard
anyone have any experience with it -

https://www.amazon.com/Thetis-Universal ... MHQBV5#Ask

the reviews were better than the Yuba Key
The comparable model in Yubikey is this one for $18: https://www.amazon.com/Yubico-Y-123-FID ... B00NLKA0D8

For a price difference of only $3 and a security product, I'd go with a product made by a reputable company than a product sold by an unknown 3rd party seller on Amazon.

Thetis claims FIDO certification but the FIDO Alliance website doesn't list any certified product under the company name Thetis. A red flag.
Harry Sit, taking a break from the forums.

User avatar
Rob5TCP
Posts: 2901
Joined: Tue Jun 05, 2007 7:34 pm
Location: New York, NY

Re: Vanguard's new security key option

Post by Rob5TCP » Thu Sep 21, 2017 8:27 am

tfb wrote:
Wed Sep 20, 2017 8:04 pm
Rob5TCP wrote:
Wed Sep 20, 2017 12:31 pm
I am looking at the new security key options.
Amazon has this one:

https://www.amazon.com/Yubico-Y-158-Yub ... curity+key

Also on the site is this one at half the price
and under questions answered says it works with Vanguard
anyone have any experience with it -

https://www.amazon.com/Thetis-Universal ... MHQBV5#Ask

the reviews were better than the Yuba Key
The comparable model in Yubikey is this one for $18: https://www.amazon.com/Yubico-Y-123-FID ... B00NLKA0D8

For a price difference of only $3 and a security product, I'd go with a product made by a reputable company than a product sold by an unknown 3rd party seller on Amazon.

Thetis claims FIDO certification but the FIDO Alliance website doesn't list any certified product under the company name Thetis. A red flag.
Your point is well taken tfb
I'm going with the original Yubikey 4
for security I don't want to skimp.

kayanco
Posts: 403
Joined: Sat Jun 07, 2014 12:20 am

Re: Vanguard's new security key option

Post by kayanco » Thu Sep 21, 2017 10:20 am

I think there are two problems with something like this:

- You might lose it.
- It might go bad, i.e. some internal component might go bad (as many electronics do).

I like email based 2FA instead (instead of SMS).

Silence Dogood
Posts: 698
Joined: Tue Feb 01, 2011 9:22 pm

Re: Vanguard's new security key option

Post by Silence Dogood » Thu Sep 21, 2017 8:47 pm

Silence Dogood wrote:
Sat Sep 16, 2017 1:03 am
2bitwise wrote:
Fri Sep 15, 2017 9:27 pm
I just log in with my user name and PW at the moment. Had the security picture before they stopped it. I have no other options selected. My doctor uses a security key when logging on to his system and it got me thinking. I need some advice on my next security step. I have regular phone service at home and no cell phone.
1) I want to use the security key (Yubikey)
2) I frequently clear my browser cache. If I switch to recognize this device only,will that still work? Or will I be locked out?
3) Do they send the SMS codes in voice also? That would work on my regular landline phone. If they send the SMS blurp to my regular phone (I couldn't read it) can I just ignore it and then use the key to finish logging in?
4) With SMS and the key installed, can I just use they key only? Do I have to have the SMS code first, before I can install the key?
I went to the Vanguard site and searched "security" "security keys" and basically came up with nothing. Also currently after I log off they recommend clearing my browser cache. (see #2).
To me, all this is a mess. So any help walking me through this would be appreciated.
It's not the cache, it's the cookies.

I use a Firefox add-on called "Self-Destructing Cookies" that automatically deletes cookies for all sites I visit except for those I have white listed. I also have my Firefox settings set to clear cache whenever I close the program.
Actually, the "Self-Destructing Cookies" add-on is no longer being supported by its creator. I've started using the "Cookie AutoDelete" add-on that accomplishes the same task.

I believe this add-on is also available for the Google Chrome web browser.

Silence Dogood
Posts: 698
Joined: Tue Feb 01, 2011 9:22 pm

Re: Vanguard's new security key option

Post by Silence Dogood » Thu Sep 21, 2017 9:02 pm

2bitwise wrote:
Sat Sep 16, 2017 8:20 pm
I am making progress here-got the security code set up and I get a voice message,so that works.
The yubikey FIDO U2F is on order and I will install it. So then, by setting sec code to not every time, I can only use key?
(which is what I want). Apparently the "this device only" works by storing a cookie in the browser. I'll have figure out how to except that in Chrome when clearing history (cookies/cache). So,so far so good!
Not sure what you mean regarding the security code settings, but yes, the "restrict access to recognized devices" option works by storing a cookie on your web browser. Per my post above, you can use a web browser add-on like "Cookie AutoDelete" and add "vanguard.com" to the whitelist and then change your Vanguard security settings to "recognized devices only."

I hope that helps.

Post Reply