Vanguard's new security key option

Discuss all general (i.e. non-personal) investing questions and issues, investing news, and theory.
mggray17
Posts: 231
Joined: Thu Feb 11, 2010 7:09 am

Re: Vanguard's new security key option

Post by mggray17 »

mggray17 wrote: Tue Nov 07, 2017 10:35 am
Brian 2016 wrote: Mon Oct 02, 2017 4:21 pm Thanks to the folks who posted this information about Vanguard's new security key, I went ahead and ordered the Yubico USB Security Key (FIDO U2F) and now have it working with my Vanguard accounts. Thanks again for the tip!!!

Brian
Where did you find instructions for this? I bought the Yubikey FIDO U2F key a while ago and when trying to set up with Vanguard, I couldn't get it to respond. I assumed at the time I needed to upgrade to Yubikey 4 or equivalent.
NVM. Just tried again and it was flawless. I think Vanguard updated the system since I last tried. :)
User avatar
Vulcan
Posts: 2975
Joined: Sat Apr 05, 2014 11:43 pm

Re: Vanguard's new security key option

Post by Vulcan »

siamond wrote: Tue Nov 07, 2017 10:37 am
Vulcan wrote: Sun Nov 05, 2017 1:17 pm
TravelGeek wrote: Sun Nov 05, 2017 12:47 pm I have been thinking of switching my SMS backup (when I get my Yubico key) to my Google Voice number, which I don’t really use for anything else.
That is what I do for all SMS-based 2FA setups. I get message in hangouts and email copy to my Gogole account. Since the Google account is protected by 2FA as well, this makes the entire setup very secure.

In fact, since I consider my Google account to be both very secure and the key to my kingdom, I am perfectly fine with email-based second factor as well.
This seems very clever. Plus one can use a Yubikey to protect their Google Account (which I do, including gmail).

Ah wait a minute...
- this implies to NOT redirect voice calls and text messages from Google Voice to your primary cell phone though. Otherwise, if your cell phone is compromised, you're back to square 1, right?
- but... I also have access to my e-mail on my cell phone (and I am not going to give up such convenience). So we should NOT auto-forward ANYTHING from Google Voice with that logic. Hm, this is getting clunky. Am I missing something.
My phone is protected by fingerprint login.
Besides, it's not enough to steal my phone and get the second factor compromised - you still have to know the password, which is the first factor, and it's not on the phone (well, not in plain text anyway;).
If you torture the data long enough, it will confess to anything. ~Ronald Coase
TravelGeek
Posts: 4902
Joined: Sat Oct 25, 2014 3:23 pm

Re: Vanguard's new security key option

Post by TravelGeek »

siamond wrote: Tue Nov 07, 2017 10:37 am Ah wait a minute...
- this implies to NOT redirect voice calls and text messages from Google Voice to your primary cell phone though. Otherwise, if your cell phone is compromised, you're back to square 1, right?
- but... I also have access to my e-mail on my cell phone (and I am not going to give up such convenience). So we should NOT auto-forward ANYTHING from Google Voice with that logic. Hm, this is getting clunky. Am I missing something.
I thought the concern with Vanguard using SMS wasn't so much that the phone could be stolen (that's true for other 2FA devices as well), but rather that the SMS system itself is inherently insecure (social engineering and other attack vectors). E.g.,

https://www.wired.com/2016/06/hey-stop- ... ntication/

A lot of people know my mobile number. You could probably google it if you knew my name.

My Google Voice number is not printed on any business card or otherwise used. I signed up for it a long time ago, but never really found a use case. So it's basically a private number only Google and I know. Which means it should provide a bit more protection for SMS-specific attacks. (I know, security through obscurity... definitely not perfect)
User avatar
siamond
Posts: 6003
Joined: Mon May 28, 2012 5:50 am

Re: Vanguard's new security key option

Post by siamond »

Vulcan wrote: Tue Nov 07, 2017 5:53 pmMy phone is protected by fingerprint login.
Besides, it's not enough to steal my phone and get the second factor compromised - you still have to know the password, which is the first factor, and it's not on the phone (well, not in plain text anyway;).
Sorry if I'm slow, but I don't understand why you want to use Google Voice then? What makes this choice more secure than the regular 2FA with your phone?

(to answer TravelGeek's post as well, the issue some people have with Vanguard is that a regular 2FA system is kind of weak, notably if a smartphone is compromised, and the addition of the Yubikey as a separate stronger factor can be somewhat defeated by the procedure used when such key is -claimed to be- lost, i.e. back to the regular 2FA. Also most 2FA systems do NOT ask you for a phone number, they send the message to a preconfigured number).
TravelGeek
Posts: 4902
Joined: Sat Oct 25, 2014 3:23 pm

Re: Vanguard's new security key option

Post by TravelGeek »

siamond wrote: Tue Nov 07, 2017 6:28 pm Also most 2FA systems do NOT ask you for a phone number, they send the message to a preconfigured number.
Are there 2FA systems that ask you where to send the code? (and if so, hopefully they don't just accept any random number...) :shock:

Most I have seen will send to a preconfigured number (on your account) and perhaps show the last couple of digits so you know where the text will go.

So as a hacker you need to get ahold of the message, either by stealing the phone and breaking the lock protection (which even the FBI has problems with) or by making the SMS network send it to YOUR phone instead of mine. Social engineering or other mechanisms exist.

https://www.wired.com/2017/05/fix-ss7-t ... -accounts/

So I don't want to have the Vanguard 2FA code sent to my real cell number (that is widely known), but rather to a number that is "obscure". Not perfect, but adds some protection. And as Vulcan said, the hacker also needs my password.

Nevertheless, we should all send complaints to Vanguard that they are violating NIST recommendations with their 2FA implementation.
User avatar
Vulcan
Posts: 2975
Joined: Sat Apr 05, 2014 11:43 pm

Re: Vanguard's new security key option

Post by Vulcan »

siamond wrote: Tue Nov 07, 2017 6:28 pm
Vulcan wrote: Tue Nov 07, 2017 5:53 pmMy phone is protected by fingerprint login.
Besides, it's not enough to steal my phone and get the second factor compromised - you still have to know the password, which is the first factor, and it's not on the phone (well, not in plain text anyway;).
Sorry if I'm slow, but I don't understand why you want to use Google Voice then? What makes this choice more secure than the regular 2FA with your phone?
This
SO HEY YOU SHOULD STOP USING TEXTS FOR TWO-FACTOR AUTHENTICATION
https://www.wired.com/2016/06/hey-stop- ... ntication/
If you torture the data long enough, it will confess to anything. ~Ronald Coase
User avatar
siamond
Posts: 6003
Joined: Mon May 28, 2012 5:50 am

Re: Vanguard's new security key option

Post by siamond »

TravelGeek wrote: Tue Nov 07, 2017 6:41 pm
siamond wrote: Tue Nov 07, 2017 6:28 pm Also most 2FA systems do NOT ask you for a phone number, they send the message to a preconfigured number.
Are there 2FA systems that ask you where to send the code? (and if so, hopefully they don't just accept any random number...) :shock:
I've seen 2FA systems asking you for the full phone number, and THEN check that it is indeed a preconfigured number. I thought this was what you were alluding to with the attempt to 'obscure' the knowledge of the phone number. But I misunderstood, the issue is the hacking of the SMS system itself, as Vulcan's pointer explained. Ok, now I understand where you guys are coming from, thanks for the explanation.

Still, this Google Voice approach is much less convincing than I thought at the first glance. If your phone is compromised, you're toast, Google Voice or not. Maybe that is the key reason to get an iPhone X, if this face recognition system proves itself better than previous systems (I read multiple times that the fingerprint technique isn't terribly difficult to defeat). Time will tell.
Fintechnick
Posts: 34
Joined: Fri Mar 17, 2017 9:47 pm

Re: Vanguard's new security key option

Post by Fintechnick »

For SMS-based 2FA, the weakness is not your phone, but the carrier. Attackers can (and have) foiled SMS based 2FA by doing the following:
- Calling up the wireless carrier and pretending to be the account holder
- Claiming need to replace SIM / device
- Deactivating current (your) device
- Replacing with new (their) device
- Now the SMS goes to them not you

This weakness is well known. Here's a reference: http://www.securityweek.com/nist-denoun ... ternatives

Bottom line is that SMS-based 2FA is better than no 2FA. But, it's not strong enough. Google Auth or Yubikey-based 2FA is much better. Yubikey unfortunately is a desktop only approach, so I personally use Google Auth whenever it's an option. You don't actually have to use the Google Authenticator app, I use 1Password and it supports the Google Auth standard very well and conveniently.
User avatar
Vulcan
Posts: 2975
Joined: Sat Apr 05, 2014 11:43 pm

Re: Vanguard's new security key option

Post by Vulcan »

siamond wrote: Tue Nov 07, 2017 9:39 pm
TravelGeek wrote: Tue Nov 07, 2017 6:41 pm
siamond wrote: Tue Nov 07, 2017 6:28 pm Also most 2FA systems do NOT ask you for a phone number, they send the message to a preconfigured number.
Are there 2FA systems that ask you where to send the code? (and if so, hopefully they don't just accept any random number...) :shock:
I've seen 2FA systems asking you for the full phone number, and THEN check that it is indeed a preconfigured number. I thought this was what you were alluding to with the attempt to 'obscure' the knowledge of the phone number. But I misunderstood, the issue is the hacking of the SMS system itself, as Vulcan's pointer explained. Ok, now I understand where you guys are coming from, thanks for the explanation.

Still, this Google Voice approach is much less convincing than I thought at the first glance. If your phone is compromised, you're toast, Google Voice or not.
How so? The problem with SMS is it can be relatively easy to steal your number by porting out. It is harder to do with google voice number.

Realistically though for most people 2FA with SMS is still way better than 1FA, and really is safe enough.
If you torture the data long enough, it will confess to anything. ~Ronald Coase
an_asker
Posts: 4903
Joined: Thu Jun 27, 2013 2:15 pm

Re: Vanguard's new security key option

Post by an_asker »

munemaker wrote: Mon Jan 02, 2017 5:52 pm
boater07 wrote:Vanguard confirmed husband/wife cannot even share passwords even with agent authorization in place.
There must be some mistake. We do it all the time.
Call them and let them know that you are actively doing so :oops:
User avatar
abuss368
Posts: 27850
Joined: Mon Aug 03, 2009 2:33 pm
Location: Where the water is warm, the drinks are cold, and I don't know the names of the players!
Contact:

Re: Vanguard's new security key option

Post by abuss368 »

This is interesting.
John C. Bogle: “Simplicity is the master key to financial success."
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: Vanguard's new security key option

Post by tadamsmar »

munemaker wrote: Mon Jan 02, 2017 5:52 pm
boater07 wrote:Vanguard confirmed husband/wife cannot even share passwords even with agent authorization in place.
There must be some mistake. We do it all the time.
Sharing passwords voids the reimbursement pledge, since one of your responsibilities is:
Never share your user name, password, or other account-related information with anyone.
https://personal.vanguard.com/us/help/S ... ontent.jsp

But perhaps sharing with your spouse would only void it if the the sharing was a factor in the fraud. One can only hope.
TravelGeek
Posts: 4902
Joined: Sat Oct 25, 2014 3:23 pm

Re: Vanguard's new security key option

Post by TravelGeek »

I won't admit here to ever sharing my credentials with my spouse, but once I learned from this forum that you can grant access to certain features of your account to other users, this is what I did. Much easier to keep an eye on my wife's accounts by having them simply appear within mine than having to log in twice.
2015
Posts: 2906
Joined: Mon Feb 10, 2014 1:32 pm

Re: Vanguard's new security key option

Post by 2015 »

Fintechnick wrote: Tue Nov 07, 2017 9:52 pm For SMS-based 2FA, the weakness is not your phone, but the carrier. Attackers can (and have) foiled SMS based 2FA by doing the following:
- Calling up the wireless carrier and pretending to be the account holder
- Claiming need to replace SIM / device
- Deactivating current (your) device
- Replacing with new (their) device
- Now the SMS goes to them not you

This weakness is well known. Here's a reference: http://www.securityweek.com/nist-denoun ... ternatives

Bottom line is that SMS-based 2FA is better than no 2FA. But, it's not strong enough. Google Auth or Yubikey-based 2FA is much better. Yubikey unfortunately is a desktop only approach, so I personally use Google Auth whenever it's an option. You don't actually have to use the Google Authenticator app, I use 1Password and it supports the Google Auth standard very well and conveniently.
The above is commonly referred to as "social engineering". In order to foil such attempts, I changed all of my security question answers on all accounts to gibberish, enacted personal pins and identity codes, and locked down my dedicated financial accounts gmail (which financial accounts including phone carrier use for recovery) through use of a yubikey. The financial accounts gmail has no phone number attached, only password authenticator and printed out security codes as backup.
User avatar
siamond
Posts: 6003
Joined: Mon May 28, 2012 5:50 am

Re: Vanguard's new security key option

Post by siamond »

TravelGeek wrote: Wed Nov 08, 2017 10:52 am I won't admit here to ever sharing my credentials with my spouse, but once I learned from this forum that you can grant access to certain features of your account to other users, this is what I did. Much easier to keep an eye on my wife's accounts by having them simply appear within mine than having to log in twice.
Ah cool. Didn't know that. Just enabled it. Very convenient. Doesn't work for a 403b, though.
Jeff Albertson
Posts: 904
Joined: Sat Apr 06, 2013 7:11 pm
Location: Springfield

Re: Vanguard's new security key option

Post by Jeff Albertson »

Fintechnick wrote: Tue Nov 07, 2017 9:52 pm Yubikey unfortunately is a desktop only approach, so I personally use Google Auth whenever it's an option.
Yubico does have a device for mobile devices, yubikey neo.
https://www.yubico.com/solutions/yubikey-for-mobile/
bmstrong
Posts: 276
Joined: Mon Sep 18, 2017 7:14 pm

Re: Vanguard's new security key option

Post by bmstrong »

Bookmarked.
Finridge
Posts: 1094
Joined: Mon May 16, 2011 7:27 pm

Re: Vanguard's new security key option

Post by Finridge »

Is using a Yubikey the only other alternative to having Vanguard send a code to your phone via SMS? Is it also possible to use Authy or Google Authenticator?
User avatar
dmcmahon
Posts: 2855
Joined: Fri Mar 21, 2008 10:29 pm

Re: Vanguard's new security key option

Post by dmcmahon »

Brian 2016 wrote: Mon Oct 02, 2017 4:21 pm Thanks to the folks who posted this information about Vanguard's new security key, I went ahead and ordered the Yubico USB Security Key (FIDO U2F) and now have it working with my Vanguard accounts. Thanks again for the tip!!!

Brian
Update: I also bought one, and it works fine, even on Linux. It's a NEO, haven't yet tried it with my mobile devices.
yardarm
Posts: 29
Joined: Wed Sep 27, 2017 10:18 am

Re: Vanguard's new security key option

Post by yardarm »

The security key sounds like something that might be worth buying and using for security on the VG account. Along this same thread, I have recently read where it may be prudent to invest in a computer that would be used solely for investment and banking purposes. The article has convinced me that it certainly may be a wise decision if it is not too expensive. This computer would remain unused and off-line except for these particular purposes. The most cost efficient approach would seem to be a chrome OS (chromebook) solution. The only issue I have found so far is that it is difficult to print directly from the chromebook and it necessitates printing from the Google cloud which may pose a separate set of risks.

Has anyone taken the separate computer approach? Is the security key function in addition to the sms text? Thanks
User avatar
LadyGeek
Site Admin
Posts: 95466
Joined: Sat Dec 20, 2008 4:34 pm
Location: Philadelphia
Contact:

Re: Vanguard's new security key option

Post by LadyGeek »

New member scoroi has a post which I've moved into the on-going discussion. See: Re: Vanguard - You'll need to sign up for security codes soon

This discussion has been superseded by Vanguard - You'll need to sign up for security codes soon.

(Thread locked to redirect the discussion.)
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
Locked